lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 17 Jul 2010 16:41:01 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	john.johansen@...onical.com
Cc:	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [AppArmor #5 0/13] AppArmor security module

John Johansen wrote:
> >  75 void aa_info_message(const char *str)
> >  76 {
> >  77         struct common_audit_data sa;
> >  78         COMMON_AUDIT_DATA_INIT_NONE(&sa);
> >  79         sa.aad.info = str,
> >  80         printk(KERN_INFO "AppArmor: %s\n", str);
> >  81         if (audit_enabled)
> >  82                 aa_audit(AUDIT_APPARMOR_STATUS, NULL, GFP_KERNEL, &sa, NULL);
> >  83 }
> > 
It will work but you meant "sa.aad.info = str;" rather than "sa.aad.info = str,".

> > void aa_info_message(const char *str)
> > {
> > 	printk(KERN_INFO "AppArmor: %s\n", str);
> > 	if (audit_enabled) {
> > 		struct common_audit_data sa;
> > 		COMMON_AUDIT_DATA_INIT_NONE(&sa);
> > 		sa.aad.info = str;
> > 		aa_audit(AUDIT_APPARMOR_STATUS, NULL, GFP_KERNEL, &sa, NULL);
> > 	}
> > }
> > 
> > ?
> > 
> Anything more specific? :)
> 
I thought you don't need to call COMMON_AUDIT_DATA_INIT_NONE() if !audit_enabled.
Maybe compiler optimizes it implicitly...

> > 134 static int apparmor_capable(struct task_struct *task, const struct cred *cred,
> > 135                             int cap, int audit)
> > 136 {
> > 137         struct aa_profile *profile;
> > 138         /* cap_capable returns 0 on success, else -EPERM */
> > 139         int error = cap_capable(task, cred, cap, audit);
> > 140 
> > 141         profile = aa_cred_profile(cred);
> > 142         if (!error  && !unconfined(profile))
> > 143                 error = aa_capable(task, profile, cap, audit);
> > 144 
> > 145         return error;
> > 146 }
> > 
> > static int apparmor_capable(struct task_struct *task, const struct cred *cred,
> > 			    int cap, int audit)
> > {
> > 	/* cap_capable returns 0 on success, else -EPERM */
> > 	int error = cap_capable(task, cred, cap, audit);
> > 
> > 	if (!error) {
> > 		struct aa_profile *profile;
> > 		profile = aa_cred_profile(cred);
> > 	  	if (!unconfined(profile))
> > 			error = aa_capable(task, profile, cap, audit);
> > 	}
> > 	return error;
> > }
> > 
> > ?
> > 
> ? 
> 
I thought you don't need to call aa_cred_profile() if cap_capable() returned an error.
If you meant to update profile even if cap_capable() returned an error, please add a comment.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ