[apparmor] [PATCH 1/6] Update x conflict failure message

John Johansen john.johansen at canonical.com
Fri Feb 18 01:22:15 UTC 2011 

Output a better failure message when a conflict of x permissions cause
policy compilation to fail.  We don't have enough information available
to output which rules during the dfa compilation so just improve the
message to let people know that it means there are conflicting x modifiers
in the rules.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/immunix.h               |    4 ++--
 parser/libapparmor_re/regexp.y |    3 +++
 parser/parser_merge.c          |    2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/parser/immunix.h b/parser/immunix.h
index 0d1729f..72446fc 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -150,12 +150,12 @@ static inline int is_merged_x_consistent(int a, int b)
 {
 	if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
 	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
-{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
+	  { //fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
 		return 0;
 }
 	if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
 	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
-{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
+	  { //fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
 		return 0;
 }
 	return 1;
diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y
index c07b1cf..e0b47b2 100644
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@@ -2823,6 +2823,9 @@ uint32_t accept_perms(NodeSet *state, uint32_t *audit_ctl, int *error)
 //if (perms & AA_CHANGE_HAT)
 //     fprintf(stderr, "change_hat 0x%x\n", perms);
 
+    if (*error)
+	    PERROR(_("profile has merged rule %s with conflicting x modifiers\n"));
+
     return perms;
 }
 
diff --git a/parser/parser_merge.c b/parser/parser_merge.c
index cc6ffb1..7044bfc 100644
--- a/parser/parser_merge.c
+++ b/parser/parser_merge.c
@@ -108,7 +108,7 @@ static int process_file_entries(struct codomain *cod)
 		if (file_comp(&cur, &next) == 0) {
 			/* check for merged x consistency */
 			if (!is_merged_x_consistent(cur->mode, next->mode)) {
-				PERROR(_("profile %s: has merged rule %s with multiple x modifiers\n"),
+				PERROR(_("profile %s: has merged rule %s with conflicting x modifiers\n"),
 				       cod->name, cur->name);
 				return 0;
 			}
-- 
1.7.1

More information about the AppArmor mailing list