[apparmor] [PATCH 2/5] Only apply disable to operations that actually load to kernel
John Johansen
john.johansen at canonical.com
Fri Dec 30 20:10:03 UTC 2011
On 12/30/2011 08:17 AM, Kees Cook wrote:
> Hi John,
>
> What's the reasoning here? "disable" is to avoid processing at all. It doesn't
> make sense to me to not skip disabled profiles here. What use-case am I
> overlooking?
>
Probably this is mostly just me, but I find disable really annoying during
dev and testing of the parser. As I do end up feeding disabled profiles to the
parser.
Thinking about it more though I should fix how disable is being resolved, ie.
actually use the symlink. Because the problem is that currently its using
the base name to resolve whether a profile is disabled and not whether the
file being tested is actually the file that is disabled.
> -Kees
>
> On Tue, Dec 27, 2011 at 06:49:32PM -0800, John Johansen wrote:
>> Signed-off-by: John Johansen<john.johansen at canonical.com>
>> ---
>> parser/parser_main.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/parser/parser_main.c b/parser/parser_main.c
>> index 721582d..2a39ffc 100644
>> --- a/parser/parser_main.c
>> +++ b/parser/parser_main.c
>> @@ -886,7 +886,7 @@ int process_profile(int option, char *profilename)
>> else
>> basename = profilename;
>>
>> - if (test_for_dir_mode(basename, "disable")) {
>> + if (PRIVILEGED_OPS&& test_for_dir_mode(basename, "disable")) {
>> if (!conf_quiet)
>> PERROR("Skipping profile in %s/disable: %s\n", basedir, basename);
>> goto out;
>> --
>> 1.7.7.3
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list