[apparmor] [PATCH 27/36] apparmor: treat each task as if the label can have mutiple entries
John Johansen
john.johansen at canonical.com
Thu May 30 01:12:52 UTC 2013
On 05/29/2013 06:07 PM, Seth Arnold wrote:
> On Wed, May 01, 2013 at 02:31:12PM -0700, John Johansen wrote:
>> next baby step to labels. Update most code to walk labels as if there
>> is multiple entries in a label, even though atm there can only be
>> one.
>>
>> This does not update the domain transitions, exec, change_hat, change_profile
>> (separate patch).
>>
>> Also it bails on first error, where for learning purposes it might be
>> desireable to check permission, and log against all profiles before failing.
>
> Or, if not for learning, also auditing purpoess.
>
> I was going to complain about that, but since you addressed it in a
> header, I'm not sure what to do. The patch, as described, looked right
> to me, but my quibble is with the intention of too-early exits. :)
>
> So, uh, add Acked-by: Seth Arnold <seth.arnold at canonical.com>, but with
> the hope that a future patch changes a lot of the logging logic. :)
>
well there are two problems with running through all checks instead of
bailing out early.
1. Its slower. Not that we should really care about speed in the reject case.
2. It complicates the code, not by much but some
More information about the AppArmor
mailing list