[apparmor] [PATCH 8/8] Convert codomain to a class

Steve Beattie steve at nxnw.org
Fri Sep 20 19:29:31 UTC 2013 

On Fri, Sep 20, 2013 at 12:26:11PM -0700, Steve Beattie wrote:
> On Wed, Sep 11, 2013 at 01:47:47AM -0700, Tyler Hicks wrote:
> > From: John Johansen <john.johansen at canonical.com>
> > 
> > Convert the codomain to a class, and the policy lists that store
> > codomains to stl containers instead of glibc twalk.
> > 
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> > [tyhicks: Merge with dbus changes and process_file_entries() cleanup]
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> 
> There's still a problem with this patch (even with the other fixes I
> made to it), it's not loading profiles with multiple hats properly:
> 
>   $ cat /tmp/example_profile
>   /tests/regression/apparmor/changehat {
> 
>     ^sub {
>       /proc/*/attr/current w,
>       /tmp/sdtest.1713-15650-z0Mlub/file2 rw,
>     }
> 
>     ^sub2 {
>       /proc/*/attr/current w,
>       /tmp/sdtest.1713-15650-z0Mlub/file2 rw,
>     }
> 
>     ^sub3 {
>       /proc/*/attr/current w,
>       /tmp/sdtest.1713-15650-z0Mlub/file2 rw,
>     }
>   }
> 
>   $ sudo ./apparmor_parser /tmp/example_profile
> 
>   $ sudo grep changehat /sys/kernel/security/apparmor/profiles
>   /tests/regression/apparmor/changehat (enforce)
>   /tests/regression/apparmor/changehat//sub (enforce)
> 
> Rebuilding the parser with debugging enabled for just parser_interface.c
> (via 'make clean all && rm parser_interface.o && make parser_interface.o && make')

Err this should be:

  make clean all && rm parser_interface.o && make parser_interface.o DEBUG=y && make

> gives the following output when loading the profile:
> 
>   $ sudo ./apparmor_parser /tmp/example_profile
>   parser: Serializing policy for /tests/regression/apparmor/changehat.
>   parser: Writing name 'version'
>   parser: Writing name 'profile'
>   parser: Writing name '(null)'
>   parser: Writing name 'flags'
>   parser: Writing name 'caps64'
>   parser: Writing name 'aadfa'
>   parser: Serializing policy for sub.
>   parser: Writing name 'version'
>   parser: Writing name 'profile'
>   parser: Writing name '(null)'
>   parser: Writing name 'flags'
>   parser: Writing name 'caps64'
>   parser: Writing name 'aadfa'
> 
> I'm not sure why it's only picking out the first of the hats.
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130920/79e1a101/attachment.pgp>

More information about the AppArmor mailing list