[apparmor] [RFC] Apparmor: Add support for attaching profiles via xattr presence and value
Seth Arnold
seth.arnold at canonical.com
Wed Nov 29 01:45:01 UTC 2017
Hello Matthew, thanks for this; I'll let John comment on the larger design
of the patch, I'll just nitpick one little piece:
On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote:
> --- a/security/apparmor/include/policy.h
> +++ b/security/apparmor/include/policy.h
> @@ -148,6 +148,12 @@ struct aa_profile {
> struct aa_policydb policy;
> struct aa_file_rules file;
> struct aa_caps caps;
> +
> + int xattr_count;
> + const char **xattrs;
> + size_t *xattr_lens;
> + char **xattr_values;
> +
> struct aa_rlimit rlimits;
>
> struct aa_loaddata *rawdata;
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index b0b58848c248..168b1d5272d9 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -227,6 +227,9 @@ void aa_free_profile(struct aa_profile *profile)
> aa_free_cap_rules(&profile->caps);
> aa_free_rlimit_rules(&profile->rlimits);
>
> + kzfree(profile->xattrs);
> + kzfree(profile->xattr_lens);
> + kzfree(profile->xattr_values);
> kzfree(profile->dirname);
> aa_put_dfa(profile->xmatch);
> aa_put_dfa(profile->policy.dfa);
profile->xattr_values is a vector of strings, but only the pointers are
cleaned up here, leaking all the xattr values themselves when the profile
is freed.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171128/71a4b970/attachment-0001.sig>
More information about the AppArmor
mailing list