On 1/27/20 12:05 PM, Simon McVittie wrote:
On Fri, 24 Jan 2020 at 15:16:36 -0500, Stephen Smalley wrote:
Aside from the trailing newline and \0 issues, AppArmor also has a
whitespace-separated (mode) field that may or may not be present in the
contexts it presently returns, ala "/usr/sbin/cupsd (enforce)".
My understanding from last time I worked with AppArmor is that this
is genuinely part of the context, and whether it is present or absent
does not vary according to the kernel API used to access contexts.
AppArmor-specific higher-level APIs parse it into a label and an optional
mode, but LSM-agnostic user-space APIs (like the one in dbus) pass the
whole string through as-is.
(In practice it seems to be present if and only if the context is
something other than "unconfined", although I don't know offhand whether
that's an API guarantee.)
Correct, currently it is always included unless the context is unconfined.
There is no guarantee that I am aware of beyond that is what the code
did in the past and so as to not break things we continue to do exactly
that.
The mode certainly does not need to be included in a newer interface.
