[apparmor] [PATCH 2/2] parser: Properly parse named transition targets

John Johansen john.johansen at canonical.com
Sat Feb 27 00:32:22 UTC 2016

On 02/26/2016 04:22 PM, Tyler Hicks wrote:
> On 2016-02-17 22:47:41, John Johansen wrote:
>> On 02/11/2016 01:57 PM, Tyler Hicks wrote:
>>> https://launchpad.net/bugs/1540666
>>> Reuse the new parse_label() function to initialize named_transition
>>> structs so that transition targets, when used with change_profile, are
>>> properly seperated into a profile namespace and profile name.
>>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>> Acked-by: John Johansen <john.johansen at canonical.com>
>> for 2.10 as well
>> though we are going to have to do another patch for stacking
>> we need to be able to express
>>   change_profile -> A//&:ns://B,
>> and
>>   change_profile -> :ns://A//&:ns://B,
> The parser doesn't have to do anything special when the '&' is in the
> middle of the transition target, right? IIUC, the parser writs that
> entire string (":ns://A//&:ns://B") to the binary policy and then kernel
> splits it up and makes sense of the '&' characters.
yes, and ideally the parser won't have to do anything for a target ns either,
except that legacy encoding requires it.

The kernel now accepts either, so for anything new we should just use the
simpler form. I will also note that on older kernels pivot_root targets that
specified an ns where broken because they didn't null terminate the ns as
the exec rules do (they share the same code to find the transition for the
x table).

More information about the AppArmor mailing list