[apparmor] [PATCH] various aa-notify fixes

Jamie Strandboge jamie at canonical.com
Tue Aug 16 22:13:05 UTC 2011 

Hi,

Christian Boltz reported several problems (via IRC) with aa-notify when
used on OpenSUSE. Attaching all patches in this email as they are all
quite straitforward.

0001-drop-supplemental-groups.patch:
  utils/aa-notify:
  - drop supplemental group privileges too. While POSIX::setgid() works
nice in
    that it will set both the real uid and euid, it doesn't do anything
with the
    supplemental groups (sigh). Instead, assign to $( and $) in a manner
that
    clears the supplemental groups.


0002-update-aa-notify-manpage-for-user-and-p.patch:
  utils/aa-notify.pod: update to clarify '-u' argument when using '-p'.


0003-check-dirname-with-auditd.patch:
  utils/aa-notify:
  
  aa-notify would abort if it could not stat the logfile, as can happen
when
  using auditd and the directory perms for the logfile do not allow
access (x).
  Adjust get_logfile_size() and get_logfile_inode() to raise then drop
  privileges if the logfile parent directory is not executable.

  Interestingly, this issue was masked on Ubuntu because of the
improper 
  dropping of supplemental groups fixed in 0001, above.


-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-drop-supplemental-groups.patch
Type: text/x-patch
Size: 1625 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110816/9d3c5995/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-update-aa-notify-manpage-for-user-and-p.patch
Type: text/x-patch
Size: 818 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110816/9d3c5995/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-check-dirname-with-auditd.patch
Type: text/x-patch
Size: 2498 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110816/9d3c5995/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110816/9d3c5995/attachment.pgp>

More information about the AppArmor mailing list