[apparmor] [PATCH 2/2] Update profile generation so LIB and image perms can be disabled separately
John Johansen
john.johansen at canonical.com
Wed Jan 11 11:34:30 UTC 2012
On 01/11/2012 12:27 PM, Steve Beattie wrote:
> On Wed, Jan 11, 2012 at 11:03:39AM +0100, John Johansen wrote:
>> There are special cases where we need to disable the auto generation of
>> lib or image rules. Split disabling of defaults up and use this in
>> exec.sh instead of -N and specifying hard coded paths for the libs.
>>
>> This fixes the problem that exec.sh has when used under multiarh
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> I'm currently working on pushing the library dependency computation out
> of prologue.inc and into mkprofile.pl; I hadn't thought about splitting
> apart -N into -I and -L, but I can probably do that.
>
> Though that said, exec.sh is the only consumer of -N, so perhaps we
> should just support -I, unless you foresee additional tests that need -L
> support.
>
well I was considering it, but I am fine with just -I atm
>> ---
>> tests/regression/apparmor/exec.sh | 2 +-
>> tests/regression/apparmor/prologue.inc | 29 +++++++++++++++++++++--------
>> 2 files changed, 22 insertions(+), 9 deletions(-)
>>
>> diff --git a/tests/regression/apparmor/exec.sh b/tests/regression/apparmor/exec.sh
>> index 80fbd61..f4481cb 100755
>> --- a/tests/regression/apparmor/exec.sh
>> +++ b/tests/regression/apparmor/exec.sh
>> @@ -66,5 +66,5 @@ runchecktest "EXEC unconfined -> confined" pass $file
>>
>> # UNCONFINED -> CONFINED no access to self binary
>>
>> -genprofile -N image=$file "/lib{64,}/ld*.so*:rix" "/lib{64,}/lib*.so*:rm"
>> +genprofile -I image=$file
>> runchecktest "EXEC unconfined -> confined/no access to self" pass $file
>> diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
>> index 9c6aa0c..62dbf81 100755
>> --- a/tests/regression/apparmor/prologue.inc
>> +++ b/tests/regression/apparmor/prologue.inc
>> @@ -353,16 +353,24 @@ emit_profile()
>>
>> name=$1; perm=$2; shift 2
>>
>> - if [ "$subprofile" -eq 1 -o "$nodefaults" -eq 1 ]
>> - then
>> - # skip dynamic libs for subprofiles
>> - $bin/mkprofile.pl ${mkflags} "$name" ${outfile}:w "$@" >> $profile
>> + local imageperm="${name}:${perm}"
>>
>> - else
>> + if [ "$nolibs" -eq 1 ] ; then
>> + dynlibs="";
>> + fi
>> +
>> + if [ "$noimage" -eq 1 ] ; then
>> + imageperm="";
>> + fi
>>
>> - $bin/mkprofile.pl ${mkflags} "$name" ${name}:${perm} $dynlibs ${outfile}:w "$@" >> $profile
>> + if [ "$subprofile" -eq 1 ] ; then
>> + # skip dynamic libs for subprofiles
>> + dynlibs="";
>> + imageperm="";
>> fi
>>
>> + $bin/mkprofile.pl ${mkflags} "$name" ${imageperm} ${dynlibs} ${outfile}:w "$@" >> $profile
>> +
>> echo $name >> $profilenames
>> }
>>
>> @@ -379,7 +387,8 @@ fi
>>
>> complainflag=""
>> escapeflag=""
>> - nodefaults=0
>> + nolibs=0
>> + noimage=0
>> while /bin/true
>> do
>> case "$1" in
>> @@ -387,7 +396,11 @@ fi
>> ;;
>> "-E") escapeflag="-E"
>> ;;
>> - "-N") nodefaults=1
>> + "-L") nolibs=1
>> + ;;
>> + "-I") noimage=1
>> + ;;
>> + "-N") nolibs=1 ; noimage=1
>> ;;
>> *) break
>> ;;
>> --
>> 1.7.7.3
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>
>
More information about the AppArmor
mailing list