On Fri, Aug 12, 2016 at 10:54:09PM +0200, Christian Boltz wrote: > aa-logprof needs to check if an exec rule for a given path exists. > > This patch adds a __FileAnyExec class to FileRule, as well as ANY_EXEC > (which should be used externally, similar to ALL), and adjusts several > checks to allow it as a special execute mode. > > This will allow to use is_covered() (or aa.py is_known_rule()) to find > out if execute is permitted, which replaces aa.py profile_known_exec() > in one of the following patches. > > As usual, also add some tests. > > [ 13-FileRule-add-ANY_EXEC.diff ] > > === modified file ./utils/apparmor/rule/file.py > --- utils/apparmor/rule/file.py 2016-02-21 15:43:58.009985520 +0100 > +++ utils/apparmor/rule/file.py 2016-02-21 16:05:39.673508607 +0100 > @@ -235,12 +242,14 @@ > return False > > # TODO: handle fallback modes? > - if other_rule.exec_perms and self.exec_perms != > other_rule.exec_perms: > + if other_rule.exec_perms == self.ANY_EXEC and self.exec_perms: > + pass # avoid hitting the 'elif' branch > + elif other_rule.exec_perms and self.exec_perms != > other_rule.exec_perms: > return False
Could you give a more explanatory comment than merely wanting to skip the elif: test? Or restructure the conditionals that make it clear in what situations we're returning False here for? That said, that's not enough of a criticism to block my Acked-by: Steve Beattie <[email protected]>. Thanks. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
