On Sat, Jun 25, 2016 at 03:59:06PM -0500, Tyler Hicks wrote: > https://launchpad.net/bugs/1584069 > > This patch adds support for the safe and unsafe exec modes for > change_profile rules. The logic is pretty simple at this point because > the kernel's default for exec modes changed in newer versions. > Therefore, this patch simply retains any specified exec mode in parsed > rules. If an exec mode is not specified in a rule, there is no attempt > to force the usage of "safe" because older kernels do not support it. > > Signed-off-by: Tyler Hicks <[email protected]>
Acked-by: Seth Arnold <[email protected]> > def is_covered_localvars(self, other_rule): > '''check if other_rule is covered by this rule object''' > > + if self.execmode != other_rule.execmode: > + return False > + > if not self._is_covered_plain(self.execcond, self.all_execconds, > other_rule.execcond, other_rule.all_execconds, 'exec condition'): > # TODO: honor globbing and variables > return False One quick note that this isn't strictly true -- the absense of execmode in one will cover the 'unsafe' in the other, but handling this case may break the "no attemp to force the usage" case. It might be worth a TODO or something to remind us. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
