[apparmor] [patch] Fix init script filtering of hats
Kees Cook
kees at ubuntu.com
Tue May 31 23:34:36 UTC 2011
On Tue, May 31, 2011 at 01:30:17PM -0700, Steve Beattie wrote:
> This patch fixes the init scripts helper functions file to
> filter out the hat/child process separator as currently used
> by the parser, '//' rather than what used to be used, the '^'
> symbol. This fixes bugs where profiles that covered regexs (e.g.
> '/usr/lib/firefox-4.0.1/firefox{,*[^s][^h]}') and thus were being
> improperly filtered away and unloaded when reloading apparmor policy.
Does this handle having hats change on a profile reload? If that works,
then +1 from me. I looked at changing this to // before, but discovered
that sorting was a smaller change to fix the reload bug I had hit at the
time (trying to unload the hats after the main profile was unloaded).
> This patch is nominated for trunk and apparmor 2.6.2.
+1
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list