[apparmor] [PATCH 2/2] Update profile generation so LIB and image perms can be disabled separately
Steve Beattie
steve at nxnw.org
Wed Jan 11 11:27:17 UTC 2012
On Wed, Jan 11, 2012 at 11:03:39AM +0100, John Johansen wrote:
> There are special cases where we need to disable the auto generation of
> lib or image rules. Split disabling of defaults up and use this in
> exec.sh instead of -N and specifying hard coded paths for the libs.
>
> This fixes the problem that exec.sh has when used under multiarh
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
I'm currently working on pushing the library dependency computation out
of prologue.inc and into mkprofile.pl; I hadn't thought about splitting
apart -N into -I and -L, but I can probably do that.
Though that said, exec.sh is the only consumer of -N, so perhaps we
should just support -I, unless you foresee additional tests that need -L
support.
> ---
> tests/regression/apparmor/exec.sh | 2 +-
> tests/regression/apparmor/prologue.inc | 29 +++++++++++++++++++++--------
> 2 files changed, 22 insertions(+), 9 deletions(-)
>
> diff --git a/tests/regression/apparmor/exec.sh b/tests/regression/apparmor/exec.sh
> index 80fbd61..f4481cb 100755
> --- a/tests/regression/apparmor/exec.sh
> +++ b/tests/regression/apparmor/exec.sh
> @@ -66,5 +66,5 @@ runchecktest "EXEC unconfined -> confined" pass $file
>
> # UNCONFINED -> CONFINED no access to self binary
>
> -genprofile -N image=$file "/lib{64,}/ld*.so*:rix" "/lib{64,}/lib*.so*:rm"
> +genprofile -I image=$file
> runchecktest "EXEC unconfined -> confined/no access to self" pass $file
> diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
> index 9c6aa0c..62dbf81 100755
> --- a/tests/regression/apparmor/prologue.inc
> +++ b/tests/regression/apparmor/prologue.inc
> @@ -353,16 +353,24 @@ emit_profile()
>
> name=$1; perm=$2; shift 2
>
> - if [ "$subprofile" -eq 1 -o "$nodefaults" -eq 1 ]
> - then
> - # skip dynamic libs for subprofiles
> - $bin/mkprofile.pl ${mkflags} "$name" ${outfile}:w "$@" >> $profile
> + local imageperm="${name}:${perm}"
>
> - else
> + if [ "$nolibs" -eq 1 ] ; then
> + dynlibs="";
> + fi
> +
> + if [ "$noimage" -eq 1 ] ; then
> + imageperm="";
> + fi
>
> - $bin/mkprofile.pl ${mkflags} "$name" ${name}:${perm} $dynlibs ${outfile}:w "$@" >> $profile
> + if [ "$subprofile" -eq 1 ] ; then
> + # skip dynamic libs for subprofiles
> + dynlibs="";
> + imageperm="";
> fi
>
> + $bin/mkprofile.pl ${mkflags} "$name" ${imageperm} ${dynlibs} ${outfile}:w "$@" >> $profile
> +
> echo $name >> $profilenames
> }
>
> @@ -379,7 +387,8 @@ fi
>
> complainflag=""
> escapeflag=""
> - nodefaults=0
> + nolibs=0
> + noimage=0
> while /bin/true
> do
> case "$1" in
> @@ -387,7 +396,11 @@ fi
> ;;
> "-E") escapeflag="-E"
> ;;
> - "-N") nodefaults=1
> + "-L") nolibs=1
> + ;;
> + "-I") noimage=1
> + ;;
> + "-N") nolibs=1 ; noimage=1
> ;;
> *) break
> ;;
> --
> 1.7.7.3
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120111/212a01c6/attachment.pgp>
More information about the AppArmor
mailing list