<div dir="ltr">Hello,<br><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 22, 2016 at 12:37 AM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
Am Sonntag, 21. Februar 2016, 23:53:40 CET schrieb Kshitij Gupta:<br>
<span class="">> On Sun, Feb 21, 2016 at 9:48 PM, Christian Boltz wrote:<br>
> > according to a discussion with John on IRC, denied_mask="x" can only<br>
> > happen for 'exec' log events. This patch raises an exception if John<br>
> > is wrong ;-)<br>
> ><br>
> ><br>
> > [ 75-x-but-not-exec-exception.diff ]<br>
> ><br>
> > === modified file ./utils/apparmor/aa.py<br>
> > --- utils/apparmor/aa.py 2016-02-21 15:43:58.021985441 +0100<br>
> > +++ utils/apparmor/aa.py 2016-02-21 16:06:41.744595751 +0100<br>
<br>
</span><span class="">> > + elif typ != 'exec':<br>
> > + raise AppArmorBug('exec permissions<br>
> > requested for %i(exec_target)s, but mode is %(mode)s instead of<br>
> > exec. This<br>
> Is that "%i(exec_target)s: above containing the "%i" what you were<br>
> aiming for?<br>
<br>
</span>Nice catch - it should be %(...), not %i(...) ;-)<br></blockquote><div>;-) <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
Updated patch:<br>
<span class=""><br>
[ 75-x-but-not-exec-exception.diff ]<br>
<br>
=== modified file ./utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py 2016-02-21 15:43:58.021985441 +0100<br>
+++ utils/apparmor/aa.py 2016-02-21 16:06:41.744595751 +0100<br>
@@ -1210,6 +1210,8 @@<br>
if mode & str_to_mode('x'):<br>
if os.path.isdir(exec_target):<br>
raise AppArmorBug('exec permissions requested for directory %s. This should not happen - please open a bugreport!' % exec_target)<br>
+ elif typ != 'exec':<br></span></blockquote><div>That "typ" is proof that naming things really is hard or I was just being lazy. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
</span>+ raise AppArmorBug('exec permissions requested for %(exec_target)s, but mode is %(mode)s instead of exec. This should not happen - please open a bugreport!' % {'exec_target': exec_target, 'mode':mode})<br>
<span class=""> else:<br>
do_execute = True<br>
<br></span></blockquote><div><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
<br>
<br>
<br>
Regards,<br>
<br>
Christian Boltz<br>
--<br>
</span>There is only so much everybody can do. We suffer from hour-shortage<br>
on the day I guess :) [Dominique Leuenberger in opensuse-factory]<br>
<br>--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div></div>