mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

Update apparmor_kernel_development_guide

John Johansen
2018-10-07 06:47:23 +00:00
parent 457c8acbfe
commit 22a5c5d359
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apparmor_kernel_development_guide.md

@@ -201,6 +201,16 @@ view
## pre 4.13
Domain transitions pre 4.13 are fairly straight forward. The task's confinement is a single profile, refcounted from the apparmor task_ctx struct off of the the task's cred.
task -> cred -> security (task_ctx) -> profile
The confining profile can transition to single profile, either the same or something different dependent on the profile rules.
| Profile | |Transition |
|---------|--|-----------|
| A | -> | D |
## post 4.13
AppArmor replaced the profile* stored in the task_ctx stored off the cred with a label*. Domain transition now consist of building a new label. To do this we walk each profile in the cred label and they can each have a transition
@@ -220,6 +230,13 @@ So for the above example the built label would be
A&B&C&D
## post 4.17
In 4.17 the confinement label was split from the task specific tracking information (change_hat, onexec, ...). The label becomes directly referenced by that cred->security field while that task_ctx is now referenced by the task's security field.
task->cred->security (label)
task->security->task_ctx
In addition the task_ctx picked up a new nnp field
the task->security->nnp field is also a label but it might not be the
same as the task's cred because we are already allowing some limited