Hi John, John Johansen wrote (17 Jun 2012 19:08:20 GMT) : > On 06/15/2012 05:08 PM, Ben Hutchings wrote: >>> >>>>> If we don't want to restrict sockets used by the kernel, don't we need >>>>> to store the kern flag for later use by aa_revalidate_sk()? >>>>> >>>> For how apparmor is generally deployed it can get away with this, the >>>> kernel bits generally bail out earlier on the check for unconfined. >>> >>>> That is not to say it isn't a good idea, or that it shouldn't be done. >>>> The fact is this patch is going to be replaced with completely rewritten >>>> controls, that do store info on the socket, it just hasn't happened yet >>>> due to resources and priorities (not my priorities). >>> >>> Ben, is this a blocker? >> >> I want to be convinced that this is not a bug, or else get a fix for it. >> > I am looking at the kernel bits here, but I don't have a patch yet
Do you think you'll manage to do it in time for the Wheezy freeze (June 30th)? >>>>> Since denied has already been masked with ~quiet_mask, this condition >>>>> can never be true. >>>>> >>>> indeed >>> >>> Ben, is this a blocker? >> [...] >> >> This clearly is a bug and I want to be convinced that it is harmless or >> else get a fix for it. >> > Right this breaks the controls over quieting of denial messages. Basically > if policy specifies a reject should not be logged then the global controls > that turn quieting off so that all rejects get logged aren't working for > networking. > This is an easy patch that I can provide separately or with the > patch I am working on for the larger issue. Do you think you'll manage to prepare at least the easy fix it in time for the Wheezy freeze? Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85hau1dflt....@boum.org
