[apparmor] [patch] Handle #include <directory> in is_known_rule()
Christian Boltz
apparmor at cboltz.de
Sat Jul 4 16:58:39 UTC 2015
Hello,
this patch fixes the crash reported in
https://bugs.launchpad.net/apparmor/+bug/1471425
and also avoids asking for and adding superfluous rules that are
already covered by a file in the included directory.
This patch looks bigger than it is because it moves quite some lines
into the "else:" branch. Everything inside the "else:" just got an
additional whitespace level.
Note: 2.9 needs a different patch because it has some profile_known_*()
functions instead of is_known_rule().
[ 61-is_known_rule-check-directory-includes.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-07-04 18:35:52.337494351 +0200
+++ utils/apparmor/aa.py 2015-07-04 18:34:30.602541182 +0200
@@ -4091,13 +4091,16 @@
while incname:
checked.append(incname)
- if include[incname][incname].get(rule_type, False):
- if include[incname][incname][rule_type].is_covered(rule_obj, False):
- return True
+ if os.path.isdir(profile_dir + '/' + incname):
+ includelist += include_dir_filelist(profile_dir, incname)
+ else:
+ if include[incname][incname].get(rule_type, False):
+ if include[incname][incname][rule_type].is_covered(rule_obj, False):
+ return True
- for childinc in include[incname][incname]['include'].keys():
- if childinc not in checked:
- includelist += [childinc]
+ for childinc in include[incname][incname]['include'].keys():
+ if childinc not in checked:
+ includelist += [childinc]
if len(includelist):
incname = includelist.pop(0)
Regards,
Christian Boltz
--
Immer noch am Squid oder lieber Knöpfchen drücken und anstarren,
ob sich was tut? Vergiß es, der Computer sitzt am längeren Hebel
und ist, was solche Geschäfte angeht, ein Sturkopf.
[Helga Fischer in suse-linux]
More information about the AppArmor
mailing list