• J
    AppArmor: file enforcement routines · 6380bd8d
    John Johansen 提交于
    AppArmor does files enforcement via pathname matching.  Matching is done
    at file open using a dfa match engine.  Permission is against the final
    file object not parent directories, ie. the traversal of directories
    as part of the file match is implicitly allowed.  In the case of nonexistant
    files (creation) permissions are checked against the target file not the
    directory.  eg. In case of creating the file /dir/new, permissions are
    checked against the match /dir/new not against /dir/.
    
    The permissions for matches are currently stored in the dfa accept table,
    but this will change to allow for dfa reuse and also to allow for sharing
    of wider accept states.
    Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
    Signed-off-by: NJames Morris <jmorris@namei.org>
    6380bd8d
file.c 12.8 KB