[apparmor] [PATCH 20/20] Fix: the default pattern for missing change_onexec id
John Johansen
john.johansen at canonical.com
Fri May 29 08:39:26 UTC 2015
The default change_onexec id is slightly wrong, it allows matching
'/' as an executable but it really should be anything under /
This results in the equality tests for change_profile failing as it
is different than what specifying /** in a rule does.
We could define rules need to be {/,}** to be equivalent but since
/ can not be an executable change the default value to match what
/** is converted in to.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_regex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 74b4761..d36864e 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -583,7 +583,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
vec[0] = xbuf.c_str();
} else
/* allow change_profile for all execs */
- vec[0] = "/[^\\x00]*";
+ vec[0] = "/[^/\\x00][^\\x00]*";
if (entry->ns) {
int pos;
--
2.1.4
More information about the AppArmor
mailing list