[apparmor] [patch] Carry over all autodep-generated rules in handle_children()

Steve Beattie steve at nxnw.org
Wed Aug 2 08:02:32 UTC 2017 

On Sun, Jul 16, 2017 at 09:47:50PM +0200, Christian Boltz wrote:
> when creating a new child profile, handle_children() did only copy over
> include and path rules. While this was correct in the past, path rules
> got changed to FileRule in the meantime and were therefore lost.
> (In practise, this means the "$binary mr," rule wasn't added to the new
> child profile, causing a "superfluous" question in aa-logprof.)
> 
> This patch changes handle_children() to carry over the complete new
> child profile instead of only cherry-picking include and path rules.
> 
> 
> I propose this patch for trunk and 2.11.
> Older versions (with path as hasher) are not affected.
> 
> [ 01-handle_children-use-new-profile.diff ]

Acked-by: Steve Beattie <steve at nxnw.org> for both. Thanks!

> --- utils/apparmor/aa.py        2017-07-16 21:28:03.462623472 +0200
> +++ utils/apparmor/aa.py        2017-07-16 21:34:08.093205307 +0200
> @@ -1266,24 +1270,16 @@
>                              if ynans == 'y':
>                                  hat = exec_target
>                                  if not aa[profile].get(hat, False):
> -                                    aa[profile][hat] = ProfileStorage(profile, hat, 'handle_children()')
> +                                    stub_profile = create_new_profile(hat, True)
> +                                    aa[profile][hat] = stub_profile[hat][hat]
> +
>                                  aa[profile][hat]['profile'] = True
>  
>                                  if profile != hat:
>                                      aa[profile][hat]['flags'] = aa[profile][profile]['flags']
>  
> -                                stub_profile = create_new_profile(hat, True)
> -
>                                  aa[profile][hat]['flags'] = 'complain'
>  
> -                                aa[profile][hat]['allow']['path'] = hasher()
> -                                if stub_profile[hat][hat]['allow'].get('path', False):
> -                                    aa[profile][hat]['allow']['path'] = stub_profile[hat][hat]['allow']['path']
> -
> -                                aa[profile][hat]['include'] = hasher()
> -                                if stub_profile[hat][hat].get('include', False):
> -                                    aa[profile][hat]['include'] = stub_profile[hat][hat]['include']
> -
>                                  file_name = aa[profile][profile]['filename']
>                                  filelist[file_name]['profiles'][profile][hat] = True
>  
> 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170802/af865c58/attachment.pgp>

More information about the AppArmor mailing list