[apparmor] [Patch] [Bug 731184] Re: apparmor_parser fails to consider its own time stamp when determining if profile cache is stale

John Johansen john.johansen at canonical.com
Tue Mar 8 22:57:36 UTC 2011


On 03/08/2011 02:48 PM, Steve Beattie wrote:
> On Tue, Mar 08, 2011 at 02:13:33PM -0800, John Johansen wrote:
>> On 03/08/2011 11:26 AM, Kees Cook wrote:
>>> On Tue, Mar 08, 2011 at 10:50:58AM -0800, John Johansen wrote:
>>>> +	cmd = fopen(progname, "r");
>>>
>>> Unfortunately, this won't work since "progname" may be relative to a
>>> PATH directory.
>>>
>>> $ /sbin/apparmor_parser -h | grep Usage
>>> Usage: /sbin/apparmor_parser [options] [profile]
>>>
>>> $ apparmor_parser -h | grep Usage
>>> Usage: apparmor_parser [options] [profile]
>>>
>>> I would suggest fully canonicalizing either progname or this fopen target
>>> using readlink(/proc/self/exe).
>>>
>>> I would learn toward the former, actually, so that invocation method
>>> doesn't change the Usage output, etc.
>>>
>> hrmm, I actually lean towards the latter, mostly because the usage message
>> matches how the parser was invoked.
>>
>> Also if going with the latter we can just directly open /proc/self/exe
> 
> I think this approach is okay; I'm guessing situations where /proc is
> either not mounted or in a non-standard location may have similar issues
> around sysfs. And even if that's the case, we'd not be any worse off
> than the current situtation.
> 
> Kees: is there a specific objection you have to this approach?
> 
committed with steve's test cases



More information about the AppArmor mailing list