The default change_onexec id is slightly wrong, it allows matching
'/' as an executable but it really should be anything under /
This results in the equality tests for change_profile failing as it
is different than what specifying /** in a rule does.
We could define rules need to be {/,}** to be equivalent but since
/ can not be an executable change the default value to match what
/** is converted in to.
Signed-off-by: John Johansen <[email protected]>
---
parser/parser_regex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 52c2753..0480c8d 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -583,7 +583,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct
cod_entry *entry)
vec[0] = xbuf.c_str();
} else
/* allow change_profile for all execs */
- vec[0] = "/[^\\x00]*";
+ vec[0] = "/[^/\\x00][^\\x00]*";
if (entry->ns) {
int pos;
--
2.1.4
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
