[apparmor] [patch] Let set_profile_flags() change the flags for all hats

Steve Beattie steve at nxnw.org
Thu May 28 20:04:59 UTC 2015 

On Wed, May 13, 2015 at 11:24:29PM +0200, Christian Boltz wrote:
> Hello,
> 
> as discussed in the meeting yesterday, this patch lets 
> set_profile_flags() change the flags for all hats.
> 
> It did this in the old 2.8 code, but didn't in 2.9.x (first there was a
> broken hat regex, then I commented out the hat handling to avoid
> breakage cause by the broken regex).
> 
> This patch makes sure the hat flags get set when setting the flags for
> the main profile.
> 
> Also change RE_PROFILE_HAT_DEF to use more named matches
> (leadingwhitespace and hat_keyword). Luckily all code that uses the
> regex uses named matches already, which means adding another (...) pair
> doesn't hurt.
> 
> Finally adjust the tests:
> - change _test_set_flags to accept another optional parameter
>   expected_more_rules (used to specify the expected hat definition)
> - add tests for hats (with '^foobar' and 'hat foobar' syntax)
> - add tests for child profiles, one of them commented out (see below)
> 
> 
> Remaining known issues (also added as TODO notes):
> 
> - The hat and child profile flags are *overwritten* with the flags used
>   for the main profile. (That's well-known behaviour from 2.8 :-/ but we
>   have more flags now, which makes this more annoying.)
>   The correct behaviour would be to add or remove the specified flag,
>   while keeping other flags unchanged.
> 
> - Child profiles are not handled/changed if you specify the 'program'
>   parameter. This means:
>   - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd'
>     _will not_ change the flags for the nscd child profile
>   - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change
>     the flags for the nscd child profile (and any other profile and
>     child profile in that file)
> 
> 
> Even with those remaining issues (which need bigger changes in 
> set_profile_flags() and maybe also in the whole flags handling), the 
> patch improves things and fixes the regression from the 2.8 code.
> 
> 
> I propose this patch for trunk and 2.9.
> 
> [ 05-set-profile-flags-hats.diff ]

Acked-by: Steve Beattie <steve at nxnw.org> for trunk and 2.9.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150528/3712b533/attachment.pgp>

More information about the AppArmor mailing list