mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

libapparmor: Open fds may be revalidated after aa_change_profile()

Browse source 
It is possible that file descriptors will be revalidated after an
aa_change_profile() but there is a lot of complexity involved that
doesn't need to be spelled out in the man page. Instead, mention that
revalidation is possible but the only way to ensure that file
descriptors are not passed on is to close them.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Tyler Hicks 2016-01-27 13:38:39 -06:00
parent a492bcfc80
commit 4c04a05996
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
libraries/libapparmor/doc/aa_change_profile.pod
View file

@ -48,7 +48,7 @@ If a program wants to return out of the current profile to the
original profile, it may use aa_change_hat(2). Otherwise, the two profiles must original profile, it may use aa_change_hat(2). Otherwise, the two profiles must
have rules permitting changing between the two profiles. have rules permitting changing between the two profiles.
Open file descriptors are not remediated after a call to aa_change_profile() Open file descriptors may not be remediated after a call to aa_change_profile()
so the calling program must close(2) open file descriptors to ensure they so the calling program must close(2) open file descriptors to ensure they
are not available after calling aa_change_profile(). As aa_change_profile() are not available after calling aa_change_profile(). As aa_change_profile()
is typically used just before execve(2), you may want to use open(2) or is typically used just before execve(2), you may want to use open(2) or