On Thu, 2012-06-07 at 15:34 +0100, Ben Hutchings wrote: > On Thu, 2012-06-07 at 15:35 +0200, [email protected] wrote: [...] > Looking at the network controller patch: > > > --- a/security/apparmor/lsm.c > > +++ b/security/apparmor/lsm.c > [...] > > @@ -621,6 +622,104 @@ static int apparmor_task_setrlimit(struct task_struct > > *task, > > return error; > > } > > > > +static int apparmor_socket_create(int family, int type, int protocol, int > > kern) > > +{ > > + struct aa_profile *profile; > > + int error = 0; > > + > > + if (kern) > > + return 0; > > If we don't want to restrict sockets used by the kernel, don't we need > to store the kern flag for later use by aa_revalidate_sk()? [...]
Certainly that's what SELinux does (in the socket_post_create hook). Ben. -- Ben Hutchings I haven't lost my mind; it's backed up on tape somewhere.
signature.asc
Description: This is a digitally signed message part
