[apparmor] [PATCH 5/6] libapparmor: Allow creating a policy_cache with a NULL kernel_features
Steve Beattie
steve at nxnw.org
Thu Mar 26 07:27:10 UTC 2015
On Wed, Mar 25, 2015 at 05:37:20PM -0500, Tyler Hicks wrote:
> The most common case when creating an aa_policy_cache object will be to
> do so while using the current kernel's feature set for the
> kernel_features parameter. Rather than have callers instantiate their
> own aa_features object in this situation, aa_policy_cache_new() should
> do it for them if they specify NULL for the kernel_features parameter.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
I like this change a lot. Acked-by: Steve Beattie <steve at nxnw.org>.
Thanks.
> ---
> libraries/libapparmor/src/policy_cache.c | 17 +++++++++++---
> tests/regression/apparmor/aa_policy_cache.c | 36 ++++-------------------------
> 2 files changed, 18 insertions(+), 35 deletions(-)
>
> diff --git a/libraries/libapparmor/src/policy_cache.c b/libraries/libapparmor/src/policy_cache.c
> index 44eb34d..779c91d 100644
> --- a/libraries/libapparmor/src/policy_cache.c
> +++ b/libraries/libapparmor/src/policy_cache.c
> @@ -129,7 +129,8 @@ static int replace_all_cb(DIR *dir unused, const char *name, struct stat *st,
> * aa_policy_cache_new - create a new policy_cache from a path
> * @policy_cache: will point to the address of an allocated and initialized
> * aa_policy_cache_new object upon success
> - * @kernel_features: features representing a kernel
> + * @kernel_features: features representing a kernel (may be NULL if you want to
> + * use the features of the currently running kernel)
> * @path: path to the policy cache
> * @create: true if the cache should be created if it doesn't already exist
> *
> @@ -170,6 +171,17 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
> return -1;
> }
>
> + if (kernel_features) {
> + aa_features_ref(kernel_features);
> + } else if (aa_features_new_from_kernel(&kernel_features) == -1) {
> + int save = errno;
> +
> + aa_policy_cache_unref(pc);
> + errno = save;
> + return -1;
> + }
> + pc->kernel_features = kernel_features;
> +
> if (init_cache_features(pc, kernel_features, create)) {
> int save = errno;
>
> @@ -178,7 +190,6 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
> return -1;
> }
>
> - pc->kernel_features = aa_features_ref(kernel_features);
> *policy_cache = pc;
>
> return 0;
> @@ -203,8 +214,8 @@ aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache)
> void aa_policy_cache_unref(aa_policy_cache *policy_cache)
> {
> if (policy_cache && atomic_dec_and_test(&policy_cache->ref_count)) {
> - aa_features_unref(policy_cache->kernel_features);
> aa_features_unref(policy_cache->features);
> + aa_features_unref(policy_cache->kernel_features);
> free(policy_cache->features_path);
> free(policy_cache->path);
> free(policy_cache);
> diff --git a/tests/regression/apparmor/aa_policy_cache.c b/tests/regression/apparmor/aa_policy_cache.c
> index cb4bc71..03f7b5b 100644
> --- a/tests/regression/apparmor/aa_policy_cache.c
> +++ b/tests/regression/apparmor/aa_policy_cache.c
> @@ -47,16 +47,10 @@ static void usage(const char *prog)
>
> static int test_make_valid(const char *path)
> {
> - aa_features *features = NULL;
> aa_policy_cache *policy_cache = NULL;
> int rc = 1;
>
> - if (aa_features_new_from_kernel(&features)) {
> - perror("FAIL - aa_features_new_from_kernel");
> - goto out;
> - }
> -
> - if (aa_policy_cache_new(&policy_cache, features, path, false)) {
> + if (aa_policy_cache_new(&policy_cache, NULL, path, false)) {
> perror("FAIL - aa_policy_cache_new");
> goto out;
> }
> @@ -68,23 +62,16 @@ static int test_make_valid(const char *path)
>
> rc = 0;
> out:
> - aa_features_unref(features);
> aa_policy_cache_unref(policy_cache);
> return rc;
> }
>
> static int test_is_valid(const char *path)
> {
> - aa_features *features = NULL;
> aa_policy_cache *policy_cache = NULL;
> int rc = 1;
>
> - if (aa_features_new_from_kernel(&features)) {
> - perror("FAIL - aa_features_new_from_kernel");
> - goto out;
> - }
> -
> - if (aa_policy_cache_new(&policy_cache, features, path, false)) {
> + if (aa_policy_cache_new(&policy_cache, NULL, path, false)) {
> perror("FAIL - aa_policy_cache_new");
> goto out;
> }
> @@ -97,30 +84,22 @@ static int test_is_valid(const char *path)
>
> rc = 0;
> out:
> - aa_features_unref(features);
> aa_policy_cache_unref(policy_cache);
> return rc;
> }
>
> static int test_new(const char *path, bool create)
> {
> - aa_features *features = NULL;
> aa_policy_cache *policy_cache = NULL;
> int rc = 1;
>
> - if (aa_features_new_from_kernel(&features)) {
> - perror("FAIL - aa_features_new_from_kernel");
> - goto out;
> - }
> -
> - if (aa_policy_cache_new(&policy_cache, features, path, create)) {
> + if (aa_policy_cache_new(&policy_cache, NULL, path, create)) {
> perror("FAIL - aa_policy_cache_new");
> goto out;
> }
>
> rc = 0;
> out:
> - aa_features_unref(features);
> aa_policy_cache_unref(policy_cache);
> return rc;
> }
> @@ -169,16 +148,10 @@ out:
>
> static int test_replace_all(const char *path)
> {
> - aa_features *features = NULL;
> aa_policy_cache *policy_cache = NULL;
> int rc = 1;
>
> - if (aa_features_new_from_kernel(&features)) {
> - perror("FAIL - aa_features_new_from_kernel");
> - goto out;
> - }
> -
> - if (aa_policy_cache_new(&policy_cache, features, path, false)) {
> + if (aa_policy_cache_new(&policy_cache, NULL, path, false)) {
> perror("FAIL - aa_policy_cache_new");
> goto out;
> }
> @@ -190,7 +163,6 @@ static int test_replace_all(const char *path)
>
> rc = 0;
> out:
> - aa_features_unref(features);
> aa_policy_cache_unref(policy_cache);
> return rc;
> }
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150326/a5f8f802/attachment.pgp>
More information about the AppArmor
mailing list