On Wed, Apr 11, 2012 at 01:53:40PM -0700, John Johansen wrote: > This fix is needed for the userspace portion of both > BugLink: http://bugs.launchpad.net/bugs/963756 > BugLink: http://bugs.launchpad.net/bugs/978038 > > change_onexec fails for profiles that don't have an attachment specification > eg. unconfined > > This is because change_onexec goes through 2 permission checks. The first > at the api call point, which is a straight match of the profile name > > eg. > /bin/foo > unconfined > > and a second test at exec time, tying the profile to change to to the > exec. This allows restricting the transition to specific execs. This > is mapped as a two entry check > > /executable/name\x00profile_name > > where the executable name must be marked with the change_onexec permission > and the subsequent profile name as well. > > The previous "fix" only covered adding onexec to executable names and > also works for the initial change_onexec request when the profile is > an executable. > > However it does not fix the case for when the profile being transitioned > to is not an executable. > > Signed-off-by: John Johansen <[email protected]>
I think this is okay. Acked-By: Steve Beattie <[email protected]> > --- > parser/parser_regex.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/parser/parser_regex.c b/parser/parser_regex.c > index c774372..0ba8114 100644 > --- a/parser/parser_regex.c > +++ b/parser/parser_regex.c > @@ -525,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, > struct cod_entry *entry) > vec[index++] = tbuf; > > /* regular change_profile rule */ > - if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index > - 1, &vec[1], dfaflags)) > + if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | > AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) > return FALSE; > /* onexec rules - both rules are needed for onexec */ > if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, > dfaflags)) > -- > 1.7.9.1 > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
