[apparmor] [PATCH 2/3] libapparmor: Open fds may be revalidated after aa_change_profile()

[Tyler Hicks]

It is possible that file descriptors will be revalidated after an
aa_change_profile() but there is a lot of complexity involved that
doesn't need to be spelled out in the man page. Instead, mention that
revalidation is possible but the only way to ensure that file
descriptors are not passed on is to close them.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Reported-by: Seth Arnold <seth.arnold at canonical.com>
---
 libraries/libapparmor/doc/aa_change_profile.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/libapparmor/doc/aa_change_profile.pod b/libraries/libapparmor/doc/aa_change_profile.pod
index 6457c33..3cad427 100644
--- a/libraries/libapparmor/doc/aa_change_profile.pod
+++ b/libraries/libapparmor/doc/aa_change_profile.pod
@@ -48,7 +48,7 @@ If a program wants to return out of the current profile to the
 original profile, it may use aa_change_hat(2). Otherwise, the two profiles must
 have rules permitting changing between the two profiles.
 
-Open file descriptors are not remediated after a call to aa_change_profile()
+Open file descriptors may not be remediated after a call to aa_change_profile()
 so the calling program must close(2) open file descriptors to ensure they
 are not available after calling aa_change_profile(). As aa_change_profile()
 is typically used just before execve(2), you may want to use open(2) or
-- 
2.5.0