[apparmor] [patch] Initialize child profile in handle_children()

Christian Boltz apparmor at cboltz.de
Mon Jul 13 23:43:15 UTC 2015


Am Montag, 13. Juli 2015 schrieb Seth Arnold:
> On Sun, Jul 12, 2015 at 06:51:49PM +0200, Christian Boltz wrote:
> > [ 74-handle_children-fix-child-init.diff ]
> > +                                # XXX ... = hasher() probably
> > superfluous, and stub_profile probably overwrites existing child
> > profile> 
> >                                  aa[profile][hat]['allow']['path'] =
> >                                  hasher()
> But this part doesn't; I'd rather see the bad lines deleted. Either it
> overwrites something that was already there (and was important), or
> it is useless. Right?

Basically yes, but the added TODO notes are only based on a quick look 
at the code, resulting in a "that looks strange" feeling. 

All I can say for sure is: _if_ it really overwrites something, then 
only an existing child profile when adding a Cx to that child profile - 
so this is quite unlikely (but not impossible) to happen in practise. 
My wild, untested guess is that only Cx -> child rules could be be hit 
by this, and only if the child profile already exists before the 
aa-logprof run.

So yes, there's a reason why I added the TODO notes - but at the same 
time, this isn't critical enough to block the 2.10 release. (Just to 
avoid confusion: the first part of the patch that initializes 
aa[profile][hat] is something we need in 2.10.)

Oh, and without the added comments, I wouldn't be surprised if this went 
unnoticed for some years ;-)

Anyway - if you prefer, I can shorten the patch so that it only 
initializes the profile, but doesn't add the TODO notes.


Christian Boltz
> Was ist eigentlich das Grüne auf dem Glastisch? Miniatur-Tentakel?
> Radioaktiv verseuchte Pinguine?                 -- J. Sauer und...
Nein.  Das sind Pinguine nach Anwendung aller SuSE - Patches.
        -- Hans Bonfigt über Suse-Plüsch-Chamäleons auf einer Messe

More information about the AppArmor mailing list