Re: [PATCH 04/13] AppArmor: core policy routines

From: Eric Paris
Date: Thu Jul 15 2010 - 11:33:15 EST


On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
<john.johansen@xxxxxxxxxxxxx> wrote:
> The basic routines and defines for AppArmor policy.  AppArmor policy
> is defined by a few basic components.
>      profiles - the basic unit of confinement contain all the information
>                 to enforce policy on a task
>
>                 Profiles tend to be named after an executable that they
>                 will attach to but this is not required.
>      namespaces - a container for a set of profiles that will be used
>                 during attachment and transitions between profiles.
>      sids - which provide a unique id for each profile
>
> Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
> ---

> +       PFLAG_MMAP_MIN_ADDR = 0x80,     /* profile controls mmap_min_addr */

You don't actually support this per ?domain? mmap_min_addr and I'm not
sure how you ever can (given the nature of round_hint_to_min()) so
maybe you should rip it all out rather than having the half
implemented stuff in patches 4 and 6?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/