On Thu, Jun 04, 2015 at 03:56:38AM -0700, John Johansen wrote: > While change_profile rules are always created separately from file > rules. The merge phase can result in change_profile rules merging > with file rules, resulting in the change_profile permission being > set when a file rule is created. > > Make sure to screen off the change_profile permission, when creating > a file rule. > > Note: the proper long term fix is to split file, link and change_profile > rules into their own classes. > > Signed-off-by: John Johansen <[email protected]> > --- > parser/parser_regex.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/parser/parser_regex.c b/parser/parser_regex.c > index 30f009f..52c2753 100644 > --- a/parser/parser_regex.c > +++ b/parser/parser_regex.c > @@ -532,8 +532,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct > cod_entry *entry) > if (entry->deny) { > if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) && > !dfarules->add_rule(tbuf.c_str(), entry->deny, > - entry->mode & ~AA_LINK_BITS, > - entry->audit & ~AA_LINK_BITS, dfaflags)) > + entry->mode & ~(AA_LINK_BITS | > AA_CHANGE_PROFILE), > + entry->audit & ~(AA_LINK_BITS | > AA_CHANGE_PROFILE), > + dfaflags))
I think the indention there should be deeper as dfarules is still an argument to dfarules->add_rule(). With the indention fixed, Acked-by: Steve Beattie <[email protected]>. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
