Re: [AppArmor #3 0/12] AppArmor security module

All of lore.kernel.org
 help / color / mirror / Atom feed

From: John Johansen <john.johansen@canonical.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [AppArmor #3 0/12] AppArmor security module
Date: Mon, 23 Nov 2009 02:11:16 -0800	[thread overview]
Message-ID: <4B0A5FC4.1010902@canonical.com> (raw)
In-Reply-To: <200911211428.JJH90667.LFOJFMSQVOFOtH@I-love.SAKURA.ne.jp>

Tetsuo Handa wrote:
> Regarding file.c ipc.c lib.c lsm.c
> 
> 
> 
> You can use container_of() inside callback functions to avoid "void *".
> 
yeah that is cleaner, will do

>> int aa_audit(int type, struct aa_profile *profile, struct aa_audit *sa,
>> 	     void (*cb) (struct audit_buffer *, void *))
> 
> int aa_audit(int type, struct aa_profile *profile, struct aa_audit *sa,
> 	     void (*cb) (struct audit_buffer *, struct aa_audit *))
> 
>> static int aa_audit_base(int type, struct aa_profile *profile,
>> 			 struct aa_audit *sa, struct audit_context *audit_cxt,
>> 			 void (*cb) (struct audit_buffer *, void *))
> 
> static int aa_audit_base(int type, struct aa_profile *profile,
> 			 struct aa_audit *sa, struct audit_context *audit_cxt,
> 			 void (*cb) (struct audit_buffer *, struct aa_audit *))
> 
>> void file_audit_cb(struct audit_buffer *ab, void *va)
>> {
>> 	struct aa_audit_file *sa = va;
> 
> void file_audit_cb(struct audit_buffer *ab, struct aa_audit *va)
> {
> 	struct aa_audit_file *sa = container_of(va, struct aa_audit_file, base);
> 
>> int aa_audit_file(struct aa_profile *profile, struct aa_audit_file *sa)
>> (...snipped...)
>> 	return aa_audit(type, profile, (struct aa_audit *)sa, file_audit_cb);
> 
> 	return aa_audit(type, profile, &sa->base, file_audit_cb);
> 
>> }
> 
>> static void audit_cb(struct audit_buffer *ab, void *va)
>> {
>> 	struct aa_audit_ptrace *sa = va;
> 
> static void audit_cb(struct audit_buffer *ab, struct aa_audit *va)
> {
> 	struct aa_audit_ptrace *sa = container_of(va, struct aa_audit_ptrace,
> 		base);
> 
>> static int aa_audit_ptrace(struct aa_profile *profile,
>> 			   struct aa_audit_ptrace *sa)
>> {
>> 	return aa_audit(AUDIT_APPARMOR_AUTO, profile, (struct aa_audit *)sa,
>> 			audit_cb);
> 
> 	return aa_audit(AUDIT_APPARMOR_AUTO, profile, &sa->base, audit_cb);
> 
> 
> 
>> int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
>> 		 struct path *new_dir, struct dentry *new_dentry)
> (.,..snipped...)
>> 	unsigned int state;
> (.,..snipped...)
>> 	sa.perms = aa_str_perms(profile->file.dfa, DFA_START, sa.name, &cond,
>> 				&state);
> 
> "state" remains uninitialized if profile->file.dfa == NULL.
> Are you sure profile->file.dfa != NULL ?
> 
No this needs to be fixed.

> 
> 
>> char *aa_strchrnul(const char *s, int c)
>> {
>> 	for (; *s != (char)c && *s != '\0'; ++s)
>> 		;
>> 	return (char *)s;
>> }
> 
> Only fqname_subname() calls aa_strchrnul() and
> fqname_subname() returns NULL if aa_strchrnul() returns '\0'.
> You can use strchr() instead.
> 
hrmm right thanks

>> static const char *fqname_subname(const char *name)
>> {
>> 	char *split;
>> 	/* check for namespace which begins with a : and ends with : or \0 */
>> 	name = strstrip((char *)name);
>> 	if (*name == ':') {
>> 		split = aa_strchrnul(name + 1, ':');
>> 		if (*split == '\0')
>> 			return NULL;
> 
> 		split = strchr(name + 1, ':');
> 		if (!split)
> 			return NULL;
> 
yep

>> 		name = strstrip(split + 1);
>> 	}
>> 	for (split = strstr(name, "//"); split; split = strstr(name, "//"))
>> 	name = split + 2;
>>
>> 	return name;
>> }
> 
> 
> 
>> char *aa_split_name_from_ns(char *args, char **ns_name)
>> {
>> 	char *name = strstrip(args);
>>
>> 	*ns_name = NULL;
>> 	if (args[0] == ':') {
>> 		char *split = strstrip(strchr(&args[1], ':'));
>>
>> 		if (!split)
>> 			return NULL;
> 
> 
> strchr() returns NULL if not found, and strstrip(NULL) will do strlen(NULL).
> strstrip() never returns NULL. Did you mean
> 
> 		char *split = strchr(&args[1], ':');
> 
> 		if (!split)
> 			return NULL;
> 		split = strstrip(split);
> 
> ?
yes, thanks

> 
>> 		*split = 0;
>> 		*ns_name = &args[1];
>> 		name = strstrip(split + 1);
>> 	}
>> 	if (*name == 0)
>> 		name = NULL;
>>
>> 	return name;
>> }
> 
> 
> 
>> static int apparmor_sysctl(struct ctl_table *table, int op)
> This hook will be removed.
> 
>> char *sysctl_pathname(struct ctl_table *table, char *buffer, int buflen)
> This function will no longer be needed.
> 
>> int aa_pathstr_perm(struct aa_profile *profile, const char *op,
>> 		    const char *name, u16 request, struct path_cond *cond)
> This function will no longer be needed.
> 
yep

> 
> 
>> static int apparmor_file_permission(struct file *file, int mask)
>> {
>> 	/*
>> 	 * TODO: cache profiles that have revalidated?
>> 	 */
>> 	struct aa_file_cxt *fcxt = file->f_security;
>> 	struct aa_profile *profile, *fprofile = fcxt->profile;
>> 	int error = 0;
>>
>> 	if (!fprofile || !file->f_path.mnt ||
>> 	    !mediated_filesystem(file->f_path.dentry->d_inode))
>> 		return 0;
>>
>> 	profile = aa_current_profile();
>>
>> #ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
>> 	/*
>> 	 * AppArmor <= 2.4 revalidates files at access time instead
>> 	 * of at exec.
>> 	 */
>> 	if (profile && ((fprofile != profile) || (mask & ~fcxt->allowed)))
>> 	    error = aa_file_perm(profile, "file_perm", file, mask);
>> #endif
>>
>> 	return error;
>> }
> 
> Why need to call this function if CONFIG_SECURITY_APPARMOR_COMPAT_24=n ?
> I think we can do
> 
>> static struct security_operations apparmor_ops = {
> (...snipped...)
> 
> #ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
> 
>> 	.file_permission =              apparmor_file_permission,
> 
> #endif
> 
yes we can currently.  Though this will change in the future, but for now
we should got with the cleaner switch.

> (...snipped...)
>> }
> 
> 
> 
>> int aa_alloc_default_namespace(void)
> 
> This function could be declared with __init attribute.
> 
yep, thanks

> 
> 
>> static int __init apparmor_init(void)
> (...snipped...)
>> 	error = set_init_cxt();
>> 	if (error) {
>> 		AA_ERROR("Failed to set context on init task\n");
>> 		goto alloc_out;
> 
> This should be
> 
> 		goto register_security_out;
> 
> in order to call aa_free_default_namespace().
> 
>> 	}

indeed

thanks again for taking the time to review
john

next prev parent reply	other threads:[~2009-11-23 10:11 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-10 16:12 [AppArmor #3 0/12] AppArmor security module John Johansen
2009-11-10 16:12 ` [PATCH 01/12] AppArmor: misc. base functions and defines John Johansen
2009-11-10 16:12 ` [PATCH 02/12] AppArmor: basic auditing infrastructure John Johansen
2009-11-10 16:12 ` [PATCH 03/12] AppArmor: contexts used in attaching policy to system objects John Johansen
2009-11-10 16:12 ` [PATCH 04/12] AppArmor: core policy routines John Johansen
2009-11-10 16:12 ` [PATCH 05/12] AppArmor: dfa match engine John Johansen
2009-11-10 16:12 ` [PATCH 06/12] AppArmor: policy routines for loading and unpacking policy John Johansen
2009-11-10 16:13 ` [PATCH 07/12] AppArmor: userspace interfaces John Johansen
2009-11-10 16:29   ` Pekka Enberg
2009-11-10 16:44     ` Andi Kleen
2009-11-10 18:21       ` Stephen Hemminger
2009-11-15 22:14         ` david
2009-11-15 22:13       ` david
2009-11-10 18:51     ` John Johansen
2009-11-10 16:13 ` [PATCH 08/12] AppArmor: file enforcement routines John Johansen
2009-11-10 16:13 ` [PATCH 09/12] AppArmor: mediation of non file objects John Johansen
2009-11-10 16:13 ` [PATCH 10/12] AppArmor: domain functions for domain transition John Johansen
2009-11-10 16:13 ` [PATCH 11/12] AppArmor: LSM interface, and security module initialization John Johansen
2009-11-10 16:13 ` [PATCH 12/12] AppArmor: Enable configuring and building of the AppArmor security module John Johansen
2009-11-13 17:44 ` [AppArmor #3 0/12] " Stephen Hemminger
2009-11-13 17:58   ` John Johansen
2009-11-20 17:39 ` Tetsuo Handa
2009-11-21  5:28   ` Tetsuo Handa
2009-11-22 11:49     ` Tetsuo Handa
2009-11-23 10:10       ` John Johansen
2009-11-23 10:11     ` John Johansen [this message]
2009-11-23 10:10   ` John Johansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B0A5FC4.1010902@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.