On Thu, Apr 20, 2006 at 09:39:43PM +0000, Pavel Machek wrote:
> Hi!
>
> > This patch implements the interface between the userspace policy loader
> > and the kernel module. It is called by the .load, .remove and .replace
> > file_operations hooks implemented in apparmorfs.c.
> >
> > The code is reponsible for serializing data in a platform independant
> > manner from userspace and creating/activating the necessary apparmor
> > profiles.
>
> Documentation patch describing what kind of data you pass here would
> be nice.
Very true. We will add it.
> > +#include "match/match.h"
> > +
> > +/* aa_code defined in module_interface.h */
> > +
> > +const int aacode_datasize[] = { 1, 2, 4, 8, 2, 2, 4, 0, 0, 0, 0, 0, 0 };
>
> I believe this needs a comment.
Yep.
> > +
> > +/* inlines must be forward of there use in newer version of gcc,
> > + just forward declaring with a prototype won't work anymore */
>
> their use?
Thanks
> > +/**
> > + * aa_activate_profile - unpack a serialized profile
> > + * @e: serialized data extent information
> > + * @error: error code returned if unpacking fails
> > + */
> > +static struct aaprofile *aa_activate_profile(struct aa_ext *e, ssize_t *error)
> > +{
> > + struct aaprofile *profile = NULL;
> > + const char *rulename = "";
> > + const char *error_string = "Invalid Profile";
> > +
> > + *error = -EPROTO;
> > +
> > + profile = alloc_aaprofile();
> > + if (!profile) {
> > + error_string = "Could not allocate profile";
> > + *error = -ENOMEM;
> > + goto fail;
> > + }
> > +
> > + /* check that we have the right struct being passed */
> > + AA_READ_X(e, AA_STRUCT, NULL, "profile");
> > + AA_READ_X(e, AA_DYN_STRING, &profile->name, NULL);
> > +
> > + error_string = "Invalid flags";
> > + /* per profile debug flags (debug, complain, audit) */
> > + AA_READ_X(e, AA_STRUCT, NULL, "flags");
> > + AA_READ_X(e, AA_U32, &(profile->flags.debug), "profile.flags.debug");
> > + AA_READ_X(e, AA_U32, &(profile->flags.complain),
> > + "profile.flags.complain");
> > + AA_READ_X(e, AA_U32, &(profile->flags.audit), "profile.flags.audit");
> > + AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
> > +
> > + error_string = "Invalid capabilities";
> > + AA_READ_X(e, AA_U32, &(profile->capabilities), "profile.capabilities");
> > +
> > + /* get the file entries. */
> > + AA_ENTRY_LIST("pgent"); /* pcre rules */
> > + AA_ENTRY_LIST("sgent"); /* simple globs */
> > + AA_ENTRY_LIST("fent"); /* regular file entries */
> > +
> > + /* get the net entries */
> > + if (aa_is_nameX(e, AA_LIST, NULL, "net")) {
> > + error_string = "Invalid net entry";
> > + while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) {
> > + if (!aa_activate_net_entry(e))
> > + goto fail;
> > + }
> > + }
> > + rulename = "";
> > +
> > + /* get subprofiles */
> > + if (aa_is_nameX(e, AA_LIST, NULL, "hats")) {
> > + error_string = "Invalid profile hat";
> > + while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) {
> > + struct aaprofile *subprofile;
> > + subprofile = aa_activate_profile(e, error);
> > + if (!subprofile)
> > + goto fail;
> > + subprofile->parent = profile;
> > + list_add(&subprofile->list, &profile->sub);
> > + }
> > + }
> > +
> > + error_string = "Invalid end of profile";
> > + AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
> > +
> > + return profile;
>
> Is this kind of transltion neccessary?
Don't understand. Please expand/clarify. The code serializes the profile data
from userspace.
Tony
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
