[apparmor] GSoC review r26 and r27

Christian Boltz apparmor at cboltz.de
Fri Jan 30 11:07:37 UTC 2015 

Hello,

Am Samstag, 27. Juli 2013 schrieb John Johansen:
> On 07/27/2013 10:02 AM, Christian Boltz wrote:

(yes, those dates and the subject are correct ;-)

> > @John: I'm still waiting for your answer about
> > 
> >     # ix implies m, so we don't need to add m if ix is present
> 
> so ignore this, as we are not doing this
> 
> > I have some profiles that contain "mrix" (for example sbin.dhclient
> > and usr.sbin.ntpd), so either the old logprof was buggy or the
> > comment is wrong ;-)
> 
> neither, it was actually a change in kernel behavior that affected
> policy. It used to be that m was not needed for ix because of where
> the tests where done.
> 
> A change in that behavior happened 5 or 6 years ago.
> 
> so at best the comment should have been changed as this rolled through

So 18 months later, here's a patch that removes the outdated comment ;-)


[ utils-drop-ix-m-comment.diff ]

=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof  2014-10-16 21:35:06 +0000
+++ utils/aa-mergeprof  2015-01-30 11:03:42 +0000
@@ -434,14 +434,6 @@
                         if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
                             mode |= apparmor.aa.str_to_mode('ix')
 
-                    # m is not implied by ix
-
-                    ### If we get an mmap request, check if we already have it in allow_mode
-                    ##if mode & AA_EXEC_MMAP:
-                    ##    # ix implies m, so we don't need to add m if ix is present
-                    ##    if contains(allow_mode, 'ix'):
-                    ##        mode = mode - AA_EXEC_MMAP
-
                     if not mode:
                         continue
 

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2014-12-24 15:54:57 +0000
+++ utils/apparmor/aa.py        2015-01-30 11:04:05 +0000
@@ -1702,14 +1702,6 @@
                         if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
                             mode |= str_to_mode('ix')
 
-                    # m is not implied by ix
-
-                    ### If we get an mmap request, check if we already have it in allow_mode
-                    ##if mode & AA_EXEC_MMAP:
-                    ##    # ix implies m, so we don't need to add m if ix is present
-                    ##    if contains(allow_mode, 'ix'):
-                    ##        mode = mode - AA_EXEC_MMAP
-
                     if not mode:
                         continue
 


Regards,

Christian Boltz
-- 
SYNOPSIS
       glimpse - [almost all letters] pattern

More information about the AppArmor mailing list