Prev: [PATCH] x86, cpu: Add Intel CPUID flags: ECMD, PLN, PTM and TSC_DEADLINE
Next: [patch 1/1] block: Apply segment size and boundary limits to integrity data
From: Eric Paris on 15 Jul 2010 11:40
On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
<john.johansen(a)canonical.com> wrote:
> The basic routines and defines for AppArmor policy. �AppArmor policy
> is defined by a few basic components.
> � � �profiles - the basic unit of confinement contain all the information
> � � � � � � � � to enforce policy on a task
>
> � � � � � � � � Profiles tend to be named after an executable that they
> � � � � � � � � will attach to but this is not required.
> � � �namespaces - a container for a set of profiles that will be used
> � � � � � � � � during attachment and transitions between profiles.
> � � �sids - which provide a unique id for each profile
>
> Signed-off-by: John Johansen <john.johansen(a)canonical.com>
> ---

> + � � � PFLAG_MMAP_MIN_ADDR = 0x80, � � /* profile controls mmap_min_addr */

You don't actually support this per ?domain? mmap_min_addr and I'm not
sure how you ever can (given the nature of round_hint_to_min()) so
maybe you should rip it all out rather than having the half
implemented stuff in patches 4 and 6?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
From: John Johansen on 15 Jul 2010 12:50
On 07/15/2010 08:33 AM, Eric Paris wrote:
> On Wed, Jul 14, 2010 at 8:43 PM, John Johansen
> <john.johansen(a)canonical.com> wrote:
>> The basic routines and defines for AppArmor policy. AppArmor policy
>> is defined by a few basic components.
>> profiles - the basic unit of confinement contain all the information
>> to enforce policy on a task
>>
>> Profiles tend to be named after an executable that they
>> will attach to but this is not required.
>> namespaces - a container for a set of profiles that will be used
>> during attachment and transitions between profiles.
>> sids - which provide a unique id for each profile
>>
>> Signed-off-by: John Johansen <john.johansen(a)canonical.com>
>> ---
>
>> + PFLAG_MMAP_MIN_ADDR = 0x80, /* profile controls mmap_min_addr */
>
> You don't actually support this per ?domain? mmap_min_addr and I'm not
> sure how you ever can (given the nature of round_hint_to_min()) so
> maybe you should rip it all out rather than having the half
> implemented stuff in patches 4 and 6?

Right, it wasn't actually ever intended as a per domain value, just a constraint
on the domain setting the value. As it currently isn't supported I will rip
those bits out.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [PATCH] x86, cpu: Add Intel CPUID flags: ECMD, PLN, PTM and TSC_DEADLINE
Next: [patch 1/1] block: Apply segment size and boundary limits to integrity data