[apparmor] [patch] Carry over all autodep-generated rules in handle_children()

Christian Boltz apparmor at cboltz.de
Sun Jul 16 19:47:50 UTC 2017 

Hello,

when creating a new child profile, handle_children() did only copy over
include and path rules. While this was correct in the past, path rules
got changed to FileRule in the meantime and were therefore lost.
(In practise, this means the "$binary mr," rule wasn't added to the new
child profile, causing a "superfluous" question in aa-logprof.)

This patch changes handle_children() to carry over the complete new
child profile instead of only cherry-picking include and path rules.


I propose this patch for trunk and 2.11.
Older versions (with path as hasher) are not affected.


[ 01-handle_children-use-new-profile.diff ]

--- utils/apparmor/aa.py        2017-07-16 21:28:03.462623472 +0200
+++ utils/apparmor/aa.py        2017-07-16 21:34:08.093205307 +0200
@@ -1266,24 +1270,16 @@
                             if ynans == 'y':
                                 hat = exec_target
                                 if not aa[profile].get(hat, False):
-                                    aa[profile][hat] = ProfileStorage(profile, hat, 'handle_children()')
+                                    stub_profile = create_new_profile(hat, True)
+                                    aa[profile][hat] = stub_profile[hat][hat]
+
                                 aa[profile][hat]['profile'] = True
 
                                 if profile != hat:
                                     aa[profile][hat]['flags'] = aa[profile][profile]['flags']
 
-                                stub_profile = create_new_profile(hat, True)
-
                                 aa[profile][hat]['flags'] = 'complain'
 
-                                aa[profile][hat]['allow']['path'] = hasher()
-                                if stub_profile[hat][hat]['allow'].get('path', False):
-                                    aa[profile][hat]['allow']['path'] = stub_profile[hat][hat]['allow']['path']
-
-                                aa[profile][hat]['include'] = hasher()
-                                if stub_profile[hat][hat].get('include', False):
-                                    aa[profile][hat]['include'] = stub_profile[hat][hat]['include']
-
                                 file_name = aa[profile][profile]['filename']
                                 filelist[file_name]['profiles'][profile][hat] = True
 


Regards,

Christian Boltz
-- 
Sadly, the relationship between CSS and HTML is the same relationship
that links the instructions for building your IKEA bed, and the
unassembled, spiteful wooden planks that purportedly contain latent bed
structures.
[https://scholar.harvard.edu/files/mickens/files/towashitallaway.pdf]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170716/b930da54/attachment.pgp>

More information about the AppArmor mailing list