[apparmor] [Patch] [Bug 731184] Re: apparmor_parser fails to consider its own time stamp when determining if profile cache is stale
john.johansen at canonical.com
Tue Mar 8 22:57:36 UTC 2011
On 03/08/2011 02:48 PM, Steve Beattie wrote:
> On Tue, Mar 08, 2011 at 02:13:33PM -0800, John Johansen wrote:
>> On 03/08/2011 11:26 AM, Kees Cook wrote:
>>> On Tue, Mar 08, 2011 at 10:50:58AM -0800, John Johansen wrote:
>>>> + cmd = fopen(progname, "r");
>>> Unfortunately, this won't work since "progname" may be relative to a
>>> PATH directory.
>>> $ /sbin/apparmor_parser -h | grep Usage
>>> Usage: /sbin/apparmor_parser [options] [profile]
>>> $ apparmor_parser -h | grep Usage
>>> Usage: apparmor_parser [options] [profile]
>>> I would suggest fully canonicalizing either progname or this fopen target
>>> using readlink(/proc/self/exe).
>>> I would learn toward the former, actually, so that invocation method
>>> doesn't change the Usage output, etc.
>> hrmm, I actually lean towards the latter, mostly because the usage message
>> matches how the parser was invoked.
>> Also if going with the latter we can just directly open /proc/self/exe
> I think this approach is okay; I'm guessing situations where /proc is
> either not mounted or in a non-standard location may have similar issues
> around sysfs. And even if that's the case, we'd not be any worse off
> than the current situtation.
> Kees: is there a specific objection you have to this approach?
committed with steve's test cases
More information about the AppArmor