[apparmor] [patch] Initialize child profile in handle_children()
Christian Boltz
apparmor at cboltz.de
Mon Jul 13 23:43:15 UTC 2015
Hello,
Am Montag, 13. Juli 2015 schrieb Seth Arnold:
> On Sun, Jul 12, 2015 at 06:51:49PM +0200, Christian Boltz wrote:
> > [ 74-handle_children-fix-child-init.diff ]
...
> > + # XXX ... = hasher() probably
> > superfluous, and stub_profile probably overwrites existing child
> > profile>
> > aa[profile][hat]['allow']['path'] =
> > hasher()
...
> But this part doesn't; I'd rather see the bad lines deleted. Either it
> overwrites something that was already there (and was important), or
> it is useless. Right?
Basically yes, but the added TODO notes are only based on a quick look
at the code, resulting in a "that looks strange" feeling.
All I can say for sure is: _if_ it really overwrites something, then
only an existing child profile when adding a Cx to that child profile -
so this is quite unlikely (but not impossible) to happen in practise.
My wild, untested guess is that only Cx -> child rules could be be hit
by this, and only if the child profile already exists before the
aa-logprof run.
So yes, there's a reason why I added the TODO notes - but at the same
time, this isn't critical enough to block the 2.10 release. (Just to
avoid confusion: the first part of the patch that initializes
aa[profile][hat] is something we need in 2.10.)
Oh, and without the added comments, I wouldn't be surprised if this went
unnoticed for some years ;-)
Anyway - if you prefer, I can shorten the patch so that it only
initializes the profile, but doesn't add the TODO notes.
Regards,
Christian Boltz
--
> Was ist eigentlich das Grüne auf dem Glastisch? Miniatur-Tentakel?
> Radioaktiv verseuchte Pinguine? -- J. Sauer und...
Nein. Das sind Pinguine nach Anwendung aller SuSE - Patches.
-- Hans Bonfigt über Suse-Plüsch-Chamäleons auf einer Messe
More information about the AppArmor
mailing list