[apparmor] [patch] handle_binfmt: resolve symlinks in library paths

Christian Boltz apparmor at cboltz.de
Sun Feb 21 19:03:21 UTC 2016


Hello,

Am Montag, 22. Februar 2016, 00:02:09 CET schrieb Kshitij Gupta:
> On Sun, Feb 21, 2016, Christian Boltz <apparmor at cboltz.de> wrote:
> > $subject.
> > 
> > This should happen rarely, but nevertheless it can happen - and
> > since
> > AppArmor needs the symlink target in the profile, we have to resolve
> > any symlink.
> > 
> > 
> > [ 76-handle_binfmt-resolve-symlinks.diff ]
> > 
> > === modified file ./utils/apparmor/aa.py
> > --- utils/apparmor/aa.py        2016-02-21 17:14:28.444520585 +0100
> > +++ utils/apparmor/aa.py        2016-02-21 16:06:41.744595751 +0100
> > @@ -386,6 +388,7 @@
> > 
> >      reqs = get_reqs(path)
> >      
> >      while reqs:
> >          library = reqs.pop()
> > 
> > +        library = get_full_path(library)  # resolve symlinks
> 
> How about inlining the get_full_path with the pop?

I know it would make the code shorter, but I prefer an additional line 
if it makes it more readable ;-)

> Also, is the comment above adding any value and worth it?

I think so ;-)
People might wonder why get_full_path() is called because get_reqs() 
only returns full library paths (the regexes only match '/.*'), so 
explaining that it's about symlinks makes sense IMHO.

> Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>

Thanks for the review!


Regards,

Christian Boltz
-- 
general rule: if Olaf reports a bug, it is a valid bug.
[Olaf Hering while reopening
 https://bugzilla.novell.com/show_bug.cgi?id=168595]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160221/07563307/attachment.pgp>


More information about the AppArmor mailing list