[apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules
Christian Boltz
apparmor at cboltz.de
Mon Apr 13 22:50:26 UTC 2015
Hello,
Am Montag, 13. April 2015 schrieb Steve Beattie:
> On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
> > CleanProf.remove_duplicate_rules() didn't call
> > $profile['capability'].delete_duplicates()
> > because aa-cleanprof sets same_file=True.
> >
> > Fix this by calling delete_duplicates(None) so that it
> > only checks the profile against itsself.
> >
> > [ 43-cleanprof-do-in-profile-run.diff ]
> >
> > === modified file 'utils/apparmor/cleanprofile.py'
> > --- utils/apparmor/cleanprofile.py 2014-12-16 22:13:25 +0000
> > +++ utils/apparmor/cleanprofile.py 2015-04-11 22:35:00 +0000
> > @@ -67,6 +67,8 @@
> >
> > #Clean the duplicates of caps in other profile
> > if not self.same_file:
> > deleted +=
> >self.other.aa[program][hat]['capability'].delete_duplicates(self.pro
> >file.aa[program][hat]['capability'])
> > + else:
> > + deleted +=
> > self.other.aa[program][hat]['capability'].delete_duplicates(None)>
> This patch does not seem to do what you claim it does:
Did you also apply 42-in-profile-deduplication.diff before testing?
Without that, there's no in-profile deduplication (removing lines
covered by includes should work without patch 42).
Regards,
Christian Boltz
--
There is shit and there is bullshit. by-path and by-id is beyond that.
[Yamaban in opensuse-factory]
More information about the AppArmor
mailing list