On Fri, Aug 12, 2016 at 10:48:13PM +0200, Christian Boltz wrote: > Hello, > > The 'exec' handling in handle_children starts with > > if do_execute: > if profile_known_exec(...) > continue > > which means if profile_known_exec() returns True, the rest of the loop > will be skipped. profile_known_exec() will return True if it finds an > exec rule in the profile or an include (independent of the exec type, > and (thanks to rematchfrag()) even if the path is globbed. > > Later in the loop, there are checks for various exec modes - but those > checks can only be reached without an existing x rule, so they'll never > be hit. > > This patch removes the dead code in the handle_children() / 'exec' / 'no > existing x rule found' section. > > I confirmed that this code is really dead by > a) reading the code and, after being confused > b) two manual aa-logprof runs with coverage enabled - in one of them, I > added some ix, Px and Cx rules, and in the second one, no more exec > rules were needed/asked. > > After dropping the dead code, combinedmode and combinedaudit are no > longer used, so we can also drop the code that sets those variables. > > > Sidenote: this patch drops 2% of the lines in aa.py ;-) > > > [ 08-handle-children-drop-dead-code.diff ] >
> - else:
> +
> + if True:
> options = cfg['qualifiers'].get(exec_target, 'ipcnu')
> if to_name:
> fatal_error(_('%s has transition name but not
> transition mode') % entry)
>
>
It could drop a bit more if you removed the 'if True:' line and all those
needless spaces :D
Acked-by: Seth Arnold <[email protected]>
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
