[apparmor] [PATCH 18/36] apparmor: add basic support for implicit labeling of files

John Johansen john.johansen at canonical.com
Thu May 16 05:12:59 UTC 2013 

On 05/14/2013 07:48 PM, Seth Arnold wrote:
> On Wed, May 01, 2013 at 02:31:03PM -0700, John Johansen wrote:
>> The labeling of files is implied by the set of rules and profiles.
>> Add the ability to set implicit labels on files to reduce the number
>> of path and rule lookups that are needed.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> (Note to future Seth: You've reviewed 45%.)
> 
>> +config SECURITY_APPARMOR_STATS
>> +	bool "enable debug statitics"
> 
> 'statitics' -- the measure of tics :)
> 
>> +/* struct aa_labelset - set of labels for a namespace
>> + *
>> + * Labels within the label set do not have a ref count and only exist
>> + * within the set as long a refcount is held.  Once a labels last
>> + * refcount is put it is removed from the set.
>> + */
> 
> I think this comment isn't quite right, or at least is confusing. Does
> this sound like a fair replacement?
> 
> Labels are reference counted; aa_labelset does not contribute to label
> reference counts. Once a label's last refcount is put it is removed from
> the set.
> 

yep thanks

>> +struct aa_labelset {
>> +	rwlock_t lock;
>> +
>> +	struct rb_root root;
>> +
>> +	/* stats */
>> +#ifdef APPARMOR_LABEL_STATS
>> +	struct labelset_stats stats;
>> +#endif
>> +
>> +};
> 
>>  /* struct aa_profile - basic confinement data
>>   * @base - base components of the profile (name, refcount, lists, lock ...)
>> - * @count: reference count of the obj
>> - * @rcu: rcu head used when removing from @list
>>   * @parent: parent of profile
>>   * @ns: namespace the profile is in
>>   * @replacedby: is set to the profile that replaced this profile
>> @@ -169,7 +155,6 @@ struct aa_replacedby {
>>   * @xmatch_len: xmatch prefix len, used to determine xmatch priority
>>   * @audit: the auditing mode of the profile
>>   * @mode: the enforcement mode of the profile
>> - * @flags: flags controlling profile behavior
>>   * @path_flags: flags controlling path generation behavior
>>   * @size: the memory consumed by this profiles rules
>>   * @policy: general match rules governing policy
>> @@ -196,6 +181,7 @@ struct aa_replacedby {
>>   */
>>  struct aa_profile {
>>  	struct aa_policy base;
>> +	struct aa_label label;
>>  	struct kref count;
>>  	struct rcu_head rcu;
>>  	struct aa_profile __rcu *parent;
>> @@ -209,7 +195,6 @@ struct aa_profile {
>>  	int xmatch_len;
>>  	enum audit_mode audit;
>>  	long mode;
>> -	long flags;
>>  	u32 path_flags;
>>  	int size;
> 
> label was added to the struct, but not the docs... count and rcu were
> removed from the docs, but not the struct.
> 
> 
> The rest will have to wait :)
> 
> Thanks
> 
> 
>

More information about the AppArmor mailing list