[apparmor] [PATCH 2/3] libapparmor: Open fds may be revalidated after aa_change_profile()

[John Johansen]

On 01/26/2016 04:18 PM, Tyler Hicks wrote:
> It is possible that file descriptors will be revalidated after an
> aa_change_profile() but there is a lot of complexity involved that
> doesn't need to be spelled out in the man page. Instead, mention that
> revalidation is possible but the only way to ensure that file
> descriptors are not passed on is to close them.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Reported-by: Seth Arnold <seth.arnold at canonical.com>

So I agree that that paragraph is not the place for the detail information
about the complexity of change_hat/change_profile and remediation. But I
do think its important we document it, and stick a reference in the
man page. Whether it should go in a notes section, or a separate man page
I am ambivalent on.

but this change as it stands is good

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  libraries/libapparmor/doc/aa_change_profile.pod | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libraries/libapparmor/doc/aa_change_profile.pod b/libraries/libapparmor/doc/aa_change_profile.pod
> index 6457c33..3cad427 100644
> --- a/libraries/libapparmor/doc/aa_change_profile.pod
> +++ b/libraries/libapparmor/doc/aa_change_profile.pod
> @@ -48,7 +48,7 @@ If a program wants to return out of the current profile to the
>  original profile, it may use aa_change_hat(2). Otherwise, the two profiles must
>  have rules permitting changing between the two profiles.
>  
> -Open file descriptors are not remediated after a call to aa_change_profile()
> +Open file descriptors may not be remediated after a call to aa_change_profile()
>  so the calling program must close(2) open file descriptors to ensure they
>  are not available after calling aa_change_profile(). As aa_change_profile()
>  is typically used just before execve(2), you may want to use open(2) or
>