mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update apparmor_kernel_development_guide

John Johansen 2018-10-11 08:17:34 +00:00
parent 182e255b66
commit edf7a6b730
1 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
apparmor_kernel_development_guide.md

@ -94,10 +94,21 @@ Because the LSM allows at least minor stacking, it is important to not just upda
# ```task labeling```
The task's label (domain type) is stored off of the task's cred security blob, not the task security blob. In older versions of apparmor the data stored in the task security blob was also stored in the cred security blob in addition to the label, and there was no task security blob.
The task's label (domain type) is stored off of the task's cred security blob, not the task security blob.
Except in a few special cases NEVER directly use the cred's label. Doing so could result in using a STALE label, that can lead to strange problems and bug reports.
## pre 4.13
```task -> cred -> security (task_ctx *) -> profile```
## 4.13-4.16
```task -> cred -> security (task_ctx *) -> label```
## 4.17
```task->cred->security (label *)```
4.17 removed the domain label from the task_ctx and moved the remain parts of the task_ctx to the task->security blob,
## critical sections
Instead use
- task context: begin_label_crit_section/end_label_crit_section