[apparmor] [patch] Don't store exec modes in transtions[]
Steve Beattie
steve at nxnw.org
Sat Mar 19 18:55:09 UTC 2016
On Sun, Feb 21, 2016 at 03:00:06PM +0100, Christian Boltz wrote:
> exec choices are stored in transitions[], but that's never used
> (and I don't see a need for it), therefore stop storing it.
>
>
> [ 73-exec-transitions.diff ]
>
> === modified file 'utils/apparmor/aa.py'
> --- utils/apparmor/aa.py 2016-02-20 12:32:36 +0000
> +++ utils/apparmor/aa.py 2016-02-21 13:50:24 +0000
> @@ -1205,7 +1205,6 @@
> context_new = context_new + '^%s' % hat
> context_new = context_new + ' -> %s' % exec_target
>
> - # ans_new = transitions.get(context_new, '') # XXX ans meant here?
> combinedmode = set()
> combinedaudit = set()
> ## Check return Value Consistency
> @@ -1415,7 +1414,6 @@
> exec_mode = exec_mode - (apparmor.aamode.AA_EXEC_UNSAFE | AA_OTHER(apparmor.aamode.AA_EXEC_UNSAFE))
> else:
> ans = 'INVALID'
> - transitions[context_new] = ans
>
> regex_options = re.compile('CMD_(ix|px|cx|nx|pix|cix|nix)')
> if regex_options.search(ans):
>
Are you sure about that? I see in handle_children():
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/utils/apparmor/aa.py#L1075
1075 ans = transitions.get(context, 'XXXINVALIDXXX')
1076
1077 while ans not in ['CMD_ADDHAT', 'CMD_USEDEFAULT', 'CMD_DENY']:
and transitions is a global hasher() object.
But I've only looked at this cursorily, so don't claim any real
understanding of what's going on (or not going on) here.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160319/5f03c16d/attachment.pgp>
More information about the AppArmor
mailing list