While change_profile rules are always created separately from file rules. The merge phase can result in change_profile rules merging with file rules, resulting in the change_profile permission being set when a file rule is created.
Make sure to screen off the change_profile permission, when creating a file rule. Note: the proper long term fix is to split file, link and change_profile rules into their own classes. Signed-off-by: John Johansen <[email protected]> --- parser/parser_regex.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 30f009f..52c2753 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -532,8 +532,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) if (entry->deny) { if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) && !dfarules->add_rule(tbuf.c_str(), entry->deny, - entry->mode & ~AA_LINK_BITS, - entry->audit & ~AA_LINK_BITS, dfaflags)) + entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), + entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), + dfaflags)) return FALSE; } else if (entry->mode & ~AA_CHANGE_PROFILE) { if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode, -- 2.1.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
