[apparmor] [patch 10/11] mod_apparmor: eliminate unnecessary back out aa_change_hat() calls

Steve Beattie steve at nxnw.org
Thu Jan 23 10:45:46 UTC 2014


This patch removes unnecessary back out aa_change_hat() calls that occur
if the prior call to aa_change_hat() call failed. It used to be case
that an aa_change_hat() call that failed would result in the task being
placed in a profile with no permissions except the ability to
aa_change_hat() back out, but this behavior has been removed from
apparmor for many, many years now.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 changehat/mod_apparmor/mod_apparmor.c |    2 --
 1 file changed, 2 deletions(-)

Index: b/changehat/mod_apparmor/mod_apparmor.c
===================================================================
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -97,7 +97,6 @@ immunix_child_init (apr_pool_t *p, serve
 		    "init: calling change_hat with '%s'", DEFAULT_HAT);
     ret = aa_change_hat(DEFAULT_HAT, magic_token);
     if (ret < 0) {
-    	aa_change_hat(NULL, magic_token);
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "Failed to change_hat to '%s'",
 			DEFAULT_HAT);
     } else {
@@ -239,7 +238,6 @@ immunix_exit_hat (request_rec *r)
 
     sd_ret = aa_change_hat(DEFAULT_HAT, magic_token);
     if (sd_ret < 0) {
-    	aa_change_hat(NULL, magic_token);
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Failed to change_hat to '%s'",
 			DEFAULT_HAT);
     } else {




More information about the AppArmor mailing list