[apparmor] [patch 08/11] mod_apparmor: convert aa_change_hat()s into single aa_change_hatv() [v2]
John Johansen
john.johansen at canonical.com
Thu Jan 23 12:00:54 UTC 2014
On 01/23/2014 02:45 AM, Steve Beattie wrote:
> This patch converts the request entry point from using multiple (if
> necessary) aa_change_hat() calls into a single aa_change_hatv() call,
> simplifying the code a bit, requiring fewer round trips between
> mod_apparmor and the kernel for each request, as well as providing more
> information when the apache profile is in complain mode.
>
> Patch history:
> v1: initial version
> v2: - the server config (scfg) code accidentally re-added the
> directory config (dcfg) hat to the vector of hats, fix that
> - actually add the DEFAULT_URI hat to the vector of hats, instead
> of only logging that that is happening.
> - pass errno to ap_log_rerror() if aa_change_hatv() call fails.
> - don't call aa_change_hat again if aa_change_hatv() call fails,
> as this is no longer necessary.
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
So with the aa_change_hat format string bug fixed in another one of your
patches do you think its worth converting the
aa_change_hat(NULL, token);
calls to
aa_change_hatv(NULL, token);
?
This should allow this module to be run with older version of the library
installed. Of course with the use of aa_getcon that will require at least
a 2.8 install.
other wise it looks good
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor
mailing list