This fix is needed for the userspace portion of both
BugLink: http://bugs.launchpad.net/bugs/963756
BugLink: http://bugs.launchpad.net/bugs/978038
change_onexec fails for profiles that don't have an attachment specification
eg. unconfined
This is because change_onexec goes through 2 permission checks. The first
at the api call point, which is a straight match of the profile name
eg.
/bin/foo
unconfined
and a second test at exec time, tying the profile to change to to the
exec. This allows restricting the transition to specific execs. This
is mapped as a two entry check
/executable/name\x00profile_name
where the executable name must be marked with the change_onexec permission
and the subsequent profile name as well.
The previous "fix" only covered adding onexec to executable names and
also works for the initial change_onexec request when the profile is
an executable.
However it does not fix the case for when the profile being transitioned
to is not an executable.
Signed-off-by: John Johansen <[email protected]>
---
parser/parser_regex.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index c774372..0ba8114 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -525,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules,
struct cod_entry *entry)
vec[index++] = tbuf;
/* regular change_profile rule */
- if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index
- 1, &vec[1], dfaflags))
+ if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE |
AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
return FALSE;
/* onexec rules - both rules are needed for onexec */
if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec,
dfaflags))
--
1.7.9.1
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
