[apparmor] [PATCH 5/2] Fix compilation of audit modifiers

Tyler Hicks tyhicks at canonical.com
Wed Mar 18 15:32:16 UTC 2015


On 2015-03-17 16:13:03, Steve Beattie wrote:
> On Tue, Mar 17, 2015 at 12:14:07AM -0700, John Johansen wrote:
> > This fixes the incorrect compilation of audit modifiers for exec and
> > pivot_root as detailed in
> > 
> > https://launchpad.net/bugs/1431717
> > https://launchpad.net/bugs/1432045
> > 
> > The permission accumulation routine on the backend was incorrectly setting
> > the audit mask based off of the exec type bits (info about the exec) and
> > not the actual exec permission.
> > 
> > This bug could have also caused permissions issues around overlapping exec
> > generic and exact match exec rules, except the encoding of EXEC_MODIFIERS
> > ensured that the 
> >   exact_match_allow & AA_USER/OTHER_EXEC_TYPE
> > test would never fail for a permission accumulation with the exec permission
> > set.
> > 
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> Acked-by: Steve Beattie <steve at nxnw.org> for trunk and 2.9. Thanks!

It gets my ack, too.

Do I have the green light to commit the tests to 2.9, as well?

Tyler

> 
> > === modified file 'parser/libapparmor_re/hfa.cc'
> > --- parser/libapparmor_re/hfa.cc	2014-09-03 21:36:08 +0000
> > +++ parser/libapparmor_re/hfa.cc	2015-03-17 06:32:53 +0000
> > @@ -1335,19 +1335,16 @@
> >  	}
> >  
> >  	perms.allow |= exact_match_allow & ~(ALL_AA_EXEC_TYPE);
> > -
> > -	if (exact_match_allow & AA_USER_EXEC_TYPE) {
> > +	perms.audit |= exact_audit & ~(ALL_AA_EXEC_TYPE);
> > +	
> > +	if (exact_match_allow & AA_USER_EXEC) {
> >  		perms.allow = (exact_match_allow & AA_USER_EXEC_TYPE) |
> >  			(perms.allow & ~AA_USER_EXEC_TYPE);
> > -		perms.audit = (exact_audit & AA_USER_EXEC_TYPE) |
> > -			(perms.audit & ~AA_USER_EXEC_TYPE);
> >  		perms.exact = AA_USER_EXEC_TYPE;
> >  	}
> > -	if (exact_match_allow & AA_OTHER_EXEC_TYPE) {
> > +	if (exact_match_allow & AA_OTHER_EXEC) {
> >  		perms.allow = (exact_match_allow & AA_OTHER_EXEC_TYPE) |
> >  			(perms.allow & ~AA_OTHER_EXEC_TYPE);
> > -		perms.audit = (exact_audit & AA_OTHER_EXEC_TYPE) |
> > -			(perms.audit & ~AA_OTHER_EXEC_TYPE);
> >  		perms.exact |= AA_OTHER_EXEC_TYPE;
> >  	}
> >  	if (AA_USER_EXEC & perms.deny)
> > 
> > 
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150318/6f189601/attachment.pgp>


More information about the AppArmor mailing list