On 12/30/2011 08:17 AM, Kees Cook wrote:
Hi John,
What's the reasoning here? "disable" is to avoid processing at all. It doesn't
make sense to me to not skip disabled profiles here. What use-case am I
overlooking?
Probably this is mostly just me, but I find disable really annoying during
dev and testing of the parser. As I do end up feeding disabled profiles to the
parser.
Thinking about it more though I should fix how disable is being resolved, ie.
actually use the symlink. Because the problem is that currently its using
the base name to resolve whether a profile is disabled and not whether the
file being tested is actually the file that is disabled.
-Kees
On Tue, Dec 27, 2011 at 06:49:32PM -0800, John Johansen wrote:
Signed-off-by: John Johansen<[email protected]>
---
parser/parser_main.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 721582d..2a39ffc 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -886,7 +886,7 @@ int process_profile(int option, char *profilename)
else
basename = profilename;
- if (test_for_dir_mode(basename, "disable")) {
+ if (PRIVILEGED_OPS&& test_for_dir_mode(basename, "disable")) {
if (!conf_quiet)
PERROR("Skipping profile in %s/disable: %s\n",
basedir, basename);
goto out;
--
1.7.7.3
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
