[apparmor] [patch] [41/38] let aa-mergeprof ask about new hats and subprofiles
Steve Beattie
steve at nxnw.org
Thu Sep 29 00:23:01 UTC 2016
On Wed, Sep 28, 2016 at 11:08:40PM +0200, Christian Boltz wrote:
> if a merged profile contains additional hats or subprofiles, the "old"
> aa-mergeprof silently created them as additional hasher elements (partly
> buggy, because subprofiles would end up as '^/subprofile' instead of
> 'profile subprofile'). After switching to FileRule, aa-mergeprof crashes
> on new hats or subprofiles.
>
> This patch adds code to ask the user if the new hat or subprofile should
> be added - which means this patch replaces two bugs (crash + silently
> adding subprofiles and hats) with a new feature ;-)
>
>
> The new questions also add a new text CMD_ADDSUBPROFILE in ui.py.
>
> Finally, the new "button" combinations get added to test-translations.py.
>
>
>
> If you want to test, try to aa-mergeprof this profile (the subprofile
> and hat are dummies, nothing ping would really require):
>
>
> #include <tunables/global>
> /{usr/,}bin/ping {
> #include <abstractions/base>
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
>
> capability net_raw,
> capability setuid,
> network inet raw,
> network inet6 raw,
>
> /{,usr/}bin/ping mixr,
> /etc/modules.conf r,
>
> ^hat {
> /bin/hat r,
> /bin/bash px,
> }
>
> profile /subprofile {
> /bin/subprofile r,
> /bin/bash px,
> }
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/bin.ping>
> }
>
> Note that this patch is not covered by unittests, but it passed all my
> manual tests.
>
> [ 41-mergeprof-new-subprofiles.diff ]
Acked-by: Steve Beattie <steve at nxnw.org>. Thanks!
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160928/116abf3c/attachment.pgp>
More information about the AppArmor
mailing list