[apparmor] [patch] [2.9 branch] fix aa-mergeprof capability handling

Christian Boltz apparmor at cboltz.de
Thu May 14 00:05:40 UTC 2015


Hello,

this patch fixes the 2.9 aa-mergeprof capability handling.

Thanks to a broken optimization (which missed a "not" in the if
condition), aa-mergeprof never asked to merge capability rules.

Also fix a syntax / parameter error uncovered after fixing the
condition.

This patch is only meant for the 2.9 branch.



[ mergeprof-2.9-fix-capability.diff ]

=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof  2014-10-16 21:35:06 +0000
+++ utils/aa-mergeprof  2015-05-13 23:19:42 +0000
@@ -309,7 +309,7 @@
 
             #Add the capabilities
             for allow in ['allow', 'deny']:
-                if other.aa[profile][hat].get(allow, False):
+                if not other.aa[profile][hat].get(allow, False):
                     continue
                 for capability in sorted(other.aa[profile][hat][allow]['capability'].keys()):
                     severity = sev_db.rank('CAP_%s' % capability)
@@ -366,7 +366,7 @@
 
                             apparmor.aa.changed[profile] = True
 
-                            aaui.UI_Info(_('Adding capability %s to profile.'), capability)
+                            aaui.UI_Info(_('Adding capability %s to profile.') % capability)
                             done = True
 
                         elif ans == 'CMD_DENY':





Regards,

Christian Boltz
-- 
[Loadbalancer vor Mailservern]
Ausbauen, bei Ebay verhökern und die frei gewordene Zeit zusammen mit
dem Ebay-Erlös in eine große Betriebsparty mit Cocktails anlegen.
[Peer Heinlein in postfixbuch-users]




More information about the AppArmor mailing list