[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070412112101.328fd7cd@the-village.bc.nu>
Date: Thu, 12 Apr 2007 11:21:01 +0100
From: Alan Cox <alan@...rguk.ukuu.org.uk>
To: jjohansen@...e.de
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, chrisw@...s-sol.org,
John Johansen <jjohansen@...e.de>,
Andreas Gruenbacher <agruen@...e.de>
Subject: Re: [AppArmor 38/41] AppArmor: Module and LSM hooks
> +
> + /**
> + * parent can ptrace child when
> + * - parent is unconfined
> + * - parent is in complain mode
> + * - parent and child are confined by the same profile
> + */
Your profiles are name based. That means the same profile in a different
namespace does different things. It would be a very odd case where it
mattered but surely the parent ptrace child rule should also require that
the parent and child are in the same namespace when using apparmor name
based security.
> +static int apparmor_capget(struct task_struct *task,
> + kernel_cap_t *effective,
> + kernel_cap_t *inheritable,
> + kernel_cap_t *permitted)
> +{
> + return cap_capget(task, effective, inheritable, permitted);
> +}
Pointless function should go away.
> +static int apparmor_sysctl(struct ctl_table *table, int op)
> +{
> + int error = 0;
> +
> + if ((op & 002) && !capable(CAP_SYS_ADMIN))
> + error = aa_reject_syscall(current, GFP_KERNEL,
> + "sysctl (write)");
> +
> + return error;
The usual file permission security override is DAC not ADMIN. What is the
logic of this choice.
> +}
> +
> +static int apparmor_syslog(int type)
> +{
> + return cap_syslog(type);
> +}
More pointless functions to delete.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists