[apparmor] GSoC review r26 and r27
Christian Boltz
apparmor at cboltz.de
Fri Jan 30 11:07:37 UTC 2015
Hello,
Am Samstag, 27. Juli 2013 schrieb John Johansen:
> On 07/27/2013 10:02 AM, Christian Boltz wrote:
(yes, those dates and the subject are correct ;-)
> > @John: I'm still waiting for your answer about
> >
> > # ix implies m, so we don't need to add m if ix is present
>
> so ignore this, as we are not doing this
>
> > I have some profiles that contain "mrix" (for example sbin.dhclient
> > and usr.sbin.ntpd), so either the old logprof was buggy or the
> > comment is wrong ;-)
>
> neither, it was actually a change in kernel behavior that affected
> policy. It used to be that m was not needed for ix because of where
> the tests where done.
>
> A change in that behavior happened 5 or 6 years ago.
>
> so at best the comment should have been changed as this rolled through
So 18 months later, here's a patch that removes the outdated comment ;-)
[ utils-drop-ix-m-comment.diff ]
=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof 2014-10-16 21:35:06 +0000
+++ utils/aa-mergeprof 2015-01-30 11:03:42 +0000
@@ -434,14 +434,6 @@
if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
mode |= apparmor.aa.str_to_mode('ix')
- # m is not implied by ix
-
- ### If we get an mmap request, check if we already have it in allow_mode
- ##if mode & AA_EXEC_MMAP:
- ## # ix implies m, so we don't need to add m if ix is present
- ## if contains(allow_mode, 'ix'):
- ## mode = mode - AA_EXEC_MMAP
-
if not mode:
continue
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-12-24 15:54:57 +0000
+++ utils/apparmor/aa.py 2015-01-30 11:04:05 +0000
@@ -1702,14 +1702,6 @@
if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
mode |= str_to_mode('ix')
- # m is not implied by ix
-
- ### If we get an mmap request, check if we already have it in allow_mode
- ##if mode & AA_EXEC_MMAP:
- ## # ix implies m, so we don't need to add m if ix is present
- ## if contains(allow_mode, 'ix'):
- ## mode = mode - AA_EXEC_MMAP
-
if not mode:
continue
Regards,
Christian Boltz
--
SYNOPSIS
glimpse - [almost all letters] pattern
More information about the AppArmor
mailing list