[apparmor] [patch] Two patches to AppArmor.pm/autodep
John Johansen
john.johansen at canonical.com
Mon Jan 9 16:23:37 UTC 2012
On 01/09/2012 04:59 PM, Steve Beattie wrote:
> This patch updates the initial profile generation for python and ruby
> scripts to include the respective abstractions.
>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> utils/Immunix/AppArmor.pm | 4 ++++
> 1 file changed, 4 insertions(+)
>
> Index: b/utils/Immunix/AppArmor.pm
> ===================================================================
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -776,6 +776,10 @@ sub create_new_profile($) {
> $profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
> } elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
> $profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
> + } elsif ($interpreter =~ m/python/) {
> + $profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
> + } elsif ($interpreter =~ m/ruby/) {
> + $profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
> }
> handle_binfmt($profile->{$fqdbin}, $interpreter);
> } else {
>
>
> This patch fixes the profile autogeneration code to include read access
> to the script itself for interpreted scripts.
>
> ---
> utils/Immunix/AppArmor.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
> Index: b/utils/Immunix/AppArmor.pm
> ===================================================================
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -770,6 +770,8 @@ sub create_new_profile($) {
> my $hashbang = head($fqdbin);
> if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
> my $interpreter = get_full_path($1);
> + $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
> + $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
> $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
> $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
> if ($interpreter =~ /perl/) {
>
>
>
>
More information about the AppArmor
mailing list