[apparmor] [PATCH 2/5] Only apply disable to operations that actually load to kernel
Kees Cook
kees at ubuntu.com
Fri Dec 30 16:17:46 UTC 2011
Hi John,
What's the reasoning here? "disable" is to avoid processing at all. It doesn't
make sense to me to not skip disabled profiles here. What use-case am I
overlooking?
-Kees
On Tue, Dec 27, 2011 at 06:49:32PM -0800, John Johansen wrote:
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser_main.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/parser/parser_main.c b/parser/parser_main.c
> index 721582d..2a39ffc 100644
> --- a/parser/parser_main.c
> +++ b/parser/parser_main.c
> @@ -886,7 +886,7 @@ int process_profile(int option, char *profilename)
> else
> basename = profilename;
>
> - if (test_for_dir_mode(basename, "disable")) {
> + if (PRIVILEGED_OPS && test_for_dir_mode(basename, "disable")) {
> if (!conf_quiet)
> PERROR("Skipping profile in %s/disable: %s\n", basedir, basename);
> goto out;
> --
> 1.7.7.3
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Kees Cook
More information about the AppArmor
mailing list