On 04/11/2012 03:28 PM, Steve Beattie wrote: > On Wed, Apr 11, 2012 at 01:53:40PM -0700, John Johansen wrote: >> This fix is needed for the userspace portion of both >> BugLink: http://bugs.launchpad.net/bugs/963756 >> BugLink: http://bugs.launchpad.net/bugs/978038 >> >> change_onexec fails for profiles that don't have an attachment specification >> eg. unconfined >> >> This is because change_onexec goes through 2 permission checks. The first >> at the api call point, which is a straight match of the profile name >> >> eg. >> /bin/foo >> unconfined >> >> and a second test at exec time, tying the profile to change to to the >> exec. This allows restricting the transition to specific execs. This >> is mapped as a two entry check >> >> /executable/name\x00profile_name >> >> where the executable name must be marked with the change_onexec permission >> and the subsequent profile name as well. >> >> The previous "fix" only covered adding onexec to executable names and >> also works for the initial change_onexec request when the profile is >> an executable. >> >> However it does not fix the case for when the profile being transitioned >> to is not an executable. >> >> Signed-off-by: John Johansen <[email protected]> > > I think this is okay. Acked-By: Steve Beattie <[email protected]> > I forgot to mention/include the regression tests, though they require a couple of kernel patches as well :/
>> --- >> parser/parser_regex.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/parser/parser_regex.c b/parser/parser_regex.c >> index c774372..0ba8114 100644 >> --- a/parser/parser_regex.c >> +++ b/parser/parser_regex.c >> @@ -525,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, >> struct cod_entry *entry) >> vec[index++] = tbuf; >> >> /* regular change_profile rule */ >> - if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index >> - 1, &vec[1], dfaflags)) >> + if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | >> AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) >> return FALSE; >> /* onexec rules - both rules are needed for onexec */ >> if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, >> dfaflags)) >> -- >> 1.7.9.1 >> >> >> -- >> AppArmor mailing list >> [email protected] >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/apparmor > > > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
