This patch calls autodep on the 'exec'ed binary when the user selects
to place that execution in a child profile. Previously, logprof would
create an entirely empty child profile in complain mode (this fix
still leaves the child profile in complain mode).
---
utils/Immunix/AppArmor.pm | 10 ++++++++++
1 file changed, 10 insertions(+)
Index: b/utils/Immunix/AppArmor.pm
===================================================================
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -2391,8 +2391,18 @@ sub handlechildren($$$) {
# put in enforce mode with genprof
$sd{$profile}{$hat}{flags} =
$sd{$profile}{$profile}{flags} if $profile ne $hat;
+ # autodep our new child
+ my $stub_profile = create_new_profile($hat);
+
$sd{$profile}{$hat}{flags} = 'complain';
$sd{$profile}{$hat}{allow}{path} = { };
+ if (defined
$stub_profile->{$hat}{$hat}{allow}{path}) {
+ $sd{$profile}{$hat}{allow}{path} =
$stub_profile->{$hat}{$hat}{allow}{path};
+ }
+ $sd{$profile}{$hat}{include} = { };
+ if (defined
$stub_profile->{$hat}{$hat}{include}) {
+ $sd{$profile}{$hat}{include} =
$stub_profile->{$hat}{$hat}{include};
+ }
$sd{$profile}{$hat}{allow}{netdomain} = { };
my $file = $sd{$profile}{$profile}{filename};
$filelist{$file}{profiles}{$profile}{$hat} = 1;
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
