[apparmor] [Merge] lp:~smcv/apparmor/cpus-conf into lp:apparmor

Simon McVittie smcv at collabora.com
Wed Apr 12 17:43:25 UTC 2017


Simon McVittie has proposed merging lp:~smcv/apparmor/cpus-conf into lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~smcv/apparmor/cpus-conf/+merge/322472

abstractions/base: Allow sysconf(_SC_NPROCESSORS_CONF)
  
glibc implements this by doing a readdir() and filtering.
We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is
basically a read from /sys/devices/system/cpu/online.

---

For context: while testing a confined process that invokes apparmor_parser under its own profile, I noticed that apparmor_parser does this. For now I'm adding it to that process's profile, but it seems like something that could reasonably go in <abstractions/base> - in practice on consumer systems the answer is going to be the same as cpu/online, which we already allow reading.

(I realise that's an odd thing to do, because that confined process needs to exercise CAP_MAC_ADMIN, making it all-powerful. However, the confinement is aiming to prevent accidentally reading untrusted content into a TCB process, rather than preventing the process itself from escalating privileges.)
-- 
Your team AppArmor Developers is requested to review the proposed merge of lp:~smcv/apparmor/cpus-conf into lp:apparmor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: review-diff.txt
Type: text/x-diff
Size: 452 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170412/4e4c5544/attachment.diff>


More information about the AppArmor mailing list