[apparmor] [Patch] [Bug 731184] Re: apparmor_parser fails to consider its own time stamp when determining if profile cache is stale

Steve Beattie steve at nxnw.org
Tue Mar 8 22:48:59 UTC 2011


On Tue, Mar 08, 2011 at 02:13:33PM -0800, John Johansen wrote:
> On 03/08/2011 11:26 AM, Kees Cook wrote:
> > On Tue, Mar 08, 2011 at 10:50:58AM -0800, John Johansen wrote:
> >> +	cmd = fopen(progname, "r");
> > 
> > Unfortunately, this won't work since "progname" may be relative to a
> > PATH directory.
> > 
> > $ /sbin/apparmor_parser -h | grep Usage
> > Usage: /sbin/apparmor_parser [options] [profile]
> > 
> > $ apparmor_parser -h | grep Usage
> > Usage: apparmor_parser [options] [profile]
> > 
> > I would suggest fully canonicalizing either progname or this fopen target
> > using readlink(/proc/self/exe).
> > 
> > I would learn toward the former, actually, so that invocation method
> > doesn't change the Usage output, etc.
> > 
> hrmm, I actually lean towards the latter, mostly because the usage message
> matches how the parser was invoked.
> 
> Also if going with the latter we can just directly open /proc/self/exe

I think this approach is okay; I'm guessing situations where /proc is
either not mounted or in a non-standard location may have similar issues
around sysfs. And even if that's the case, we'd not be any worse off
than the current situtation.

Kees: is there a specific objection you have to this approach?

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110308/7867d184/attachment-0001.pgp>


More information about the AppArmor mailing list