[apparmor] [PATCH 18/36] apparmor: add basic support for implicit labeling of files

Seth Arnold seth.arnold at canonical.com
Wed May 15 02:48:15 UTC 2013 

On Wed, May 01, 2013 at 02:31:03PM -0700, John Johansen wrote:
> The labeling of files is implied by the set of rules and profiles.
> Add the ability to set implicit labels on files to reduce the number
> of path and rule lookups that are needed.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

(Note to future Seth: You've reviewed 45%.)

> +config SECURITY_APPARMOR_STATS
> +	bool "enable debug statitics"

'statitics' -- the measure of tics :)

> +/* struct aa_labelset - set of labels for a namespace
> + *
> + * Labels within the label set do not have a ref count and only exist
> + * within the set as long a refcount is held.  Once a labels last
> + * refcount is put it is removed from the set.
> + */

I think this comment isn't quite right, or at least is confusing. Does
this sound like a fair replacement?

Labels are reference counted; aa_labelset does not contribute to label
reference counts. Once a label's last refcount is put it is removed from
the set.

> +struct aa_labelset {
> +	rwlock_t lock;
> +
> +	struct rb_root root;
> +
> +	/* stats */
> +#ifdef APPARMOR_LABEL_STATS
> +	struct labelset_stats stats;
> +#endif
> +
> +};

>  /* struct aa_profile - basic confinement data
>   * @base - base components of the profile (name, refcount, lists, lock ...)
> - * @count: reference count of the obj
> - * @rcu: rcu head used when removing from @list
>   * @parent: parent of profile
>   * @ns: namespace the profile is in
>   * @replacedby: is set to the profile that replaced this profile
> @@ -169,7 +155,6 @@ struct aa_replacedby {
>   * @xmatch_len: xmatch prefix len, used to determine xmatch priority
>   * @audit: the auditing mode of the profile
>   * @mode: the enforcement mode of the profile
> - * @flags: flags controlling profile behavior
>   * @path_flags: flags controlling path generation behavior
>   * @size: the memory consumed by this profiles rules
>   * @policy: general match rules governing policy
> @@ -196,6 +181,7 @@ struct aa_replacedby {
>   */
>  struct aa_profile {
>  	struct aa_policy base;
> +	struct aa_label label;
>  	struct kref count;
>  	struct rcu_head rcu;
>  	struct aa_profile __rcu *parent;
> @@ -209,7 +195,6 @@ struct aa_profile {
>  	int xmatch_len;
>  	enum audit_mode audit;
>  	long mode;
> -	long flags;
>  	u32 path_flags;
>  	int size;

label was added to the struct, but not the docs... count and rcu were
removed from the docs, but not the struct.


The rest will have to wait :)

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130514/85eaf825/attachment.pgp>

More information about the AppArmor mailing list