linux/security/apparmor/capability.c, branch v3.6-rc6Linux kernel source treehttps://git.amat.us/linux/atom/security/apparmor/capability.c?h=v3.6-rc62012-04-09T16:23:04ZLSM: do not initialize common_audit_data to 02012-04-09T16:23:04ZEric Pariseparis@redhat.com2012-04-04T19:01:43Zurn:sha1:50c205f5e5c2e2af002fd4ef537ded79b90b1b56
It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?
Signed-off-by: Eric Paris <eparis@redhat.com>
apparmor: move task from common_audit_data to apparmor_audit_data2012-04-09T16:23:02ZEric Pariseparis@redhat.com2012-04-04T19:01:42Zurn:sha1:0972c74ecba4878baa5f97bb78b242c0eefacfb6
apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.
Signed-off-by: Eric Paris <eparis@redhat.com>
LSM: remove the COMMON_AUDIT_DATA_INIT type expansion2012-04-09T16:23:01ZEric Pariseparis@redhat.com2012-04-04T19:01:42Zurn:sha1:bd5e50f9c1c71daac273fa586424f07205f6b13b
Just open code it so grep on the source code works better.
Signed-off-by: Eric Paris <eparis@redhat.com>
LSM: shrink sizeof LSM specific portion of common_audit_data2012-04-03T16:48:40ZEric Pariseparis@redhat.com2012-04-03T16:37:02Zurn:sha1:3b3b0e4fc15efa507b902d90cea39e496a523c3b
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
AppArmor: mediation of non file objects2010-08-02T05:38:35ZJohn Johansenjohn.johansen@canonical.com2010-07-29T21:48:05Zurn:sha1:0ed3b28ab8bf460a3a026f3f1782bf4c53840184
ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests. Improved mediation is a wip.
rlimits:
AppArmor provides basic abilities to set and control rlimits at
a per profile level. Only resources specified in a profile are controled
or set. AppArmor rules set the hard limit to a value <= to the current
hard limit (ie. they can not currently raise hard limits), and if
necessary will lower the soft limit to the new hard limit value.
AppArmor does not track resource limits to reset them when a profile
is left so that children processes inherit the limits set by the
parent even if they are not confined by the same profile.
Capabilities: AppArmor provides a per profile mask of capabilities,
that will further restrict.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>