[apparmor] [PATCH 09/14] Fix screening of change_profile permission from file rule entries
Steve Beattie
steve at nxnw.org
Mon Jun 8 18:31:44 UTC 2015
On Thu, Jun 04, 2015 at 03:56:38AM -0700, John Johansen wrote:
> While change_profile rules are always created separately from file
> rules. The merge phase can result in change_profile rules merging
> with file rules, resulting in the change_profile permission being
> set when a file rule is created.
>
> Make sure to screen off the change_profile permission, when creating
> a file rule.
>
> Note: the proper long term fix is to split file, link and change_profile
> rules into their own classes.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser_regex.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 30f009f..52c2753 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -532,8 +532,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
> if (entry->deny) {
> if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
> !dfarules->add_rule(tbuf.c_str(), entry->deny,
> - entry->mode & ~AA_LINK_BITS,
> - entry->audit & ~AA_LINK_BITS, dfaflags))
> + entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
> + entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
> + dfaflags))
I think the indention there should be deeper as dfarules is still an
argument to dfarules->add_rule(). With the indention fixed,
Acked-by: Steve Beattie <steve at nxnw.org>.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150608/9bf84d6a/attachment.pgp>
More information about the AppArmor
mailing list