> @@ -546,17 +534,40 @@ static void __ns_list_release(struct list_head *head);
> */
> static void destroy_namespace(struct aa_namespace *ns)
> {
> + struct aa_profile *unconfined;
> +
> if (!ns)
> return;
>
> - write_lock(&ns->lock);
> + mutex_lock(&ns->lock);
> /* release all profiles in this namespace */
> __profile_list_release(&ns->base.profiles);
>
> /* release all sub namespaces */
> __ns_list_release(&ns->sub_ns);
>
> - write_unlock(&ns->lock);
> + unconfined = ns->unconfined;
> + /*
> + * break the ns, unconfined profile cyclic reference and forward
> + * all new unconfined profiles requests to the parent namespace
> + * This will result in all confined tasks that have a profile
> + * being removed, inheriting the parent->unconfined profile.
> + */
> + if (ns->parent)
> + ns->unconfined = aa_get_profile(ns->parent->unconfined);
Incidentally, the comment in alloc_namespace() is incorrect now that
this code block have moved functions:
/*
* released by free_namespace, however __remove_namespace breaks
* the cyclic references (ns->unconfined, and unconfined->ns) and
* replaces with refs to parent namespace unconfined
*/
It might not actually matter much that the name has changed, since
__remove_namespace() calls destroy_namespace().. but it does bug me a
touch that the outer function has double-leading-underscore and the inner
function doesn't have the double-leading-underscore. Do the names need
some cleanup? (I'd love to see the split removed entirely, but removing
the root namespace is a special-case operation...)
Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
