[apparmor] [patch 01/11] mod_apparmor: fix logging [v3]

John Johansen john.johansen at canonical.com
Thu Jan 23 22:19:55 UTC 2014

On 01/23/2014 01:59 PM, Christian Boltz wrote:
> Hello,
> Am Donnerstag, 23. Januar 2014 schrieb Steve Beattie:
>> On Thu, Jan 23, 2014 at 03:04:53AM -0800, John Johansen wrote:
>>> Looks good, though I did find myself wishing for a patch to rename
>>> immunix to apparmor.
>> Yeah, as well as a patch to fix up some of the whitespace quirks (lots
>> of trailing whitespace for one). But I wanted functional code changes
> That, and also a funny mix of tabs and spaces in several lines.
>> to land first before doing any of that, to make it easier to merge to
>> 2.8, if need be.
> Personally, I'd like to have the fixes applied[1] to 2.8 ;-)  (maybe 
> except the change to using aa_change_hatv to be very sure nothing 
> breaks?)
right generally I'd like to not go adding new features to 2.8, so
I think change_hatv shouldn't go in and I question whether the servername
should go in as well.

With that said 2.8 has had to live far longer than it should have as the
primary release and I think some improvements are worth making an
exception for. So I'll defer to those who use there features daily

> Nevertheless, I'll probably take the risk and test 2.8 with the latest 
> mod_apparmor.c as soon as you commit your patches to trunk. (I want one 
> big patch, not copy&paste from 11 mails all changing the same file ;-)
> BTW: will the updated mod_apparmor also need 2.8 r2111? ("libapparmor: 
> fix aa_change_hat token format string")
only if you include the change_hatv patch. The bug comes about because
change_hat and change_hatv are using different format strings. The
change_hatv format is correct but despite this the change_hat one
seems to be consistent, so it should hopefully (is implementation
dependent, but years of use haven't seem to trip a bug) just work
when only change_hat is used.

The patch mixes use of change_hat and change_hatv, where change_hatv
is used to enter and change_hat to exit. In this case the kernel
sees different tokens because of how the userspace is formating them.

More information about the AppArmor mailing list