[apparmor] [patch] Make sure 'x' log events always come with type 'exec'

Kshitij Gupta kgupta8592 at gmail.com
Sun Feb 21 19:25:05 UTC 2016


Hello,

On Mon, Feb 22, 2016 at 12:37 AM, Christian Boltz <apparmor at cboltz.de>
wrote:

> Hello,
>
> Am Sonntag, 21. Februar 2016, 23:53:40 CET schrieb Kshitij Gupta:
> > On Sun, Feb 21, 2016 at 9:48 PM, Christian Boltz wrote:
> > > according to a discussion with John on IRC, denied_mask="x" can only
> > > happen for 'exec' log events. This patch raises an exception if John
> > > is wrong ;-)
> > >
> > >
> > > [ 75-x-but-not-exec-exception.diff ]
> > >
> > > === modified file ./utils/apparmor/aa.py
> > > --- utils/apparmor/aa.py        2016-02-21 15:43:58.021985441 +0100
> > > +++ utils/apparmor/aa.py        2016-02-21 16:06:41.744595751 +0100
>
> > > +                    elif typ != 'exec':
> > > +                        raise AppArmorBug('exec permissions
> > > requested for %i(exec_target)s, but mode is %(mode)s instead of
> > > exec. This
> > Is that "%i(exec_target)s: above containing the "%i" what you were
> > aiming for?
>
> Nice catch - it should be %(...), not %i(...) ;-)
>
;-)

>
>
> Updated patch:
>
> [ 75-x-but-not-exec-exception.diff ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2016-02-21 15:43:58.021985441 +0100
> +++ utils/apparmor/aa.py        2016-02-21 16:06:41.744595751 +0100
> @@ -1210,6 +1210,8 @@
>                  if mode & str_to_mode('x'):
>                      if os.path.isdir(exec_target):
>                          raise AppArmorBug('exec permissions requested for
> directory %s. This should not happen - please open a bugreport!' %
> exec_target)
> +                    elif typ != 'exec':
>
That "typ" is proof that naming things really is hard or I was just being
lazy.

> +                        raise AppArmorBug('exec permissions requested for
> %(exec_target)s, but mode is %(mode)s instead of exec. This should not
> happen - please open a bugreport!' % {'exec_target': exec_target,
> 'mode':mode})
>                      else:
>                          do_execute = True
>
>
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>

>
>
>
> Regards,
>
> Christian Boltz
> --
> There is only so much everybody can do. We suffer from hour-shortage
> on the day I guess :)    [Dominique Leuenberger in opensuse-factory]
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>


-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160222/53232a25/attachment.html>


More information about the AppArmor mailing list