Hi!
> This patch implements the interface between the userspace policy loader
> and the kernel module. It is called by the .load, .remove and .replace
> file_operations hooks implemented in apparmorfs.c.
>
> The code is reponsible for serializing data in a platform independant
> manner from userspace and creating/activating the necessary apparmor
> profiles.
Documentation patch describing what kind of data you pass here would
be nice.
> +#include "match/match.h"
> +
> +/* aa_code defined in module_interface.h */
> +
> +const int aacode_datasize[] = { 1, 2, 4, 8, 2, 2, 4, 0, 0, 0, 0, 0, 0 };
I believe this needs a comment.
> +
> +/* inlines must be forward of there use in newer version of gcc,
> + just forward declaring with a prototype won't work anymore */
their use?
> +/**
> + * aa_activate_profile - unpack a serialized profile
> + * @e: serialized data extent information
> + * @error: error code returned if unpacking fails
> + */
> +static struct aaprofile *aa_activate_profile(struct aa_ext *e, ssize_t *error)
> +{
> + struct aaprofile *profile = NULL;
> + const char *rulename = "";
> + const char *error_string = "Invalid Profile";
> +
> + *error = -EPROTO;
> +
> + profile = alloc_aaprofile();
> + if (!profile) {
> + error_string = "Could not allocate profile";
> + *error = -ENOMEM;
> + goto fail;
> + }
> +
> + /* check that we have the right struct being passed */
> + AA_READ_X(e, AA_STRUCT, NULL, "profile");
> + AA_READ_X(e, AA_DYN_STRING, &profile->name, NULL);
> +
> + error_string = "Invalid flags";
> + /* per profile debug flags (debug, complain, audit) */
> + AA_READ_X(e, AA_STRUCT, NULL, "flags");
> + AA_READ_X(e, AA_U32, &(profile->flags.debug), "profile.flags.debug");
> + AA_READ_X(e, AA_U32, &(profile->flags.complain),
> + "profile.flags.complain");
> + AA_READ_X(e, AA_U32, &(profile->flags.audit), "profile.flags.audit");
> + AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
> +
> + error_string = "Invalid capabilities";
> + AA_READ_X(e, AA_U32, &(profile->capabilities), "profile.capabilities");
> +
> + /* get the file entries. */
> + AA_ENTRY_LIST("pgent"); /* pcre rules */
> + AA_ENTRY_LIST("sgent"); /* simple globs */
> + AA_ENTRY_LIST("fent"); /* regular file entries */
> +
> + /* get the net entries */
> + if (aa_is_nameX(e, AA_LIST, NULL, "net")) {
> + error_string = "Invalid net entry";
> + while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) {
> + if (!aa_activate_net_entry(e))
> + goto fail;
> + }
> + }
> + rulename = "";
> +
> + /* get subprofiles */
> + if (aa_is_nameX(e, AA_LIST, NULL, "hats")) {
> + error_string = "Invalid profile hat";
> + while (!aa_is_nameX(e, AA_LISTEND, NULL, NULL)) {
> + struct aaprofile *subprofile;
> + subprofile = aa_activate_profile(e, error);
> + if (!subprofile)
> + goto fail;
> + subprofile->parent = profile;
> + list_add(&subprofile->list, &profile->sub);
> + }
> + }
> +
> + error_string = "Invalid end of profile";
> + AA_READ_X(e, AA_STRUCTEND, NULL, NULL);
> +
> + return profile;
Is this kind of transltion neccessary?
Pavel
--
Thanks, Sharp!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
