[apparmor] [patch] aa.py: change_profile vs. changes_profile
Steve Beattie
steve at nxnw.org
Sat Nov 29 07:38:30 UTC 2014
On Thu, Nov 27, 2014 at 08:24:17PM +0100, Christian Boltz wrote:
> another patch from the "strange things noticed while reading aa.py"
> series:
>
> aa.py uses profile_data[profile][hat]['change_profile'] at various
> places. However, there are also two places that use 'changes_profile'
> (note the additional 's').
>
> I didn't test this patch because I don't have a profile with a
> change_profile rule here, but I'm quite sure it it needed to fix
> handling change_profile rules ;-)
Acked-by: Steve Beattie <steve at nxnw.org>. That said, I don't see any
behavior change with limited testing of adding child profiles to an
existing profile with an already existing child profile.
There's some really wonky behavior for view differences when doing so
(with or without the patch applied):
--- /tmp/home.ubuntu.tmp.spork.sh 2014-11-28 23:07:50.769388829 -0800
+++ /tmp/tmpj6ytsskb 2014-11-28 23:09:56.641365708 -0800
@@ -13,9 +15,26 @@
profile /bin/touch flags=(complain) {
+ /bin/cat rCx,
+ /bin/rm rix,
+
#include <abstractions/base>
/bin/touch mr,
}
}
+
+ profile /bin/cat flags=(complain) {
+ #include <abstractions/base>
+
+ /bin/cat mr,
+
+ }
+
+ profile /bin/touch flags=(complain) {
+ #include <abstractions/base>
+
+ /bin/touch mr,
+
+ }
Note how the child profile for /bin/touch is getting re-added . Furthermore, the
/bin/cat and /bin/rm rules that get added to the first instantiation of
the /bin/touch profile belong in the parent profile, not any of the
children. However, the clean diff generates the correct output:
--- /tmp/tmpp9dstlgb 2014-11-28 23:37:32.193515557 -0800
+++ /tmp/tmpxn5pm9t8 2014-11-28 23:37:32.193515557 -0800
@@ -3,6 +3,8 @@
capability dac_read_search,
/bin/bash ix,
+ /bin/cat rCx,
+ /bin/rm rix,
/bin/touch rCx,
/dev/pts/7 rw,
/dev/tty rw,
@@ -11,6 +13,13 @@
/tmp/spork.data a,
+ profile /bin/cat flags=(complain) {
+ #include <abstractions/base>
+
+ /bin/cat mr,
+
+ }
+
profile /bin/touch flags=(complain) {
#include <abstractions/base>
which is what is written out as well.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141128/770872ad/attachment.pgp>
More information about the AppArmor
mailing list