On Wed, Sep 28, 2016 at 11:08:40PM +0200, Christian Boltz wrote:
> if a merged profile contains additional hats or subprofiles, the "old"
> aa-mergeprof silently created them as additional hasher elements (partly
> buggy, because subprofiles would end up as '^/subprofile' instead of
> 'profile subprofile'). After switching to FileRule, aa-mergeprof crashes
> on new hats or subprofiles.
>
> This patch adds code to ask the user if the new hat or subprofile should
> be added - which means this patch replaces two bugs (crash + silently
> adding subprofiles and hats) with a new feature ;-)
>
>
> The new questions also add a new text CMD_ADDSUBPROFILE in ui.py.
>
> Finally, the new "button" combinations get added to test-translations.py.
>
>
>
> If you want to test, try to aa-mergeprof this profile (the subprofile
> and hat are dummies, nothing ping would really require):
>
>
> #include <tunables/global>
> /{usr/,}bin/ping {
> #include <abstractions/base>
> #include <abstractions/consoles>
> #include <abstractions/nameservice>
>
> capability net_raw,
> capability setuid,
> network inet raw,
> network inet6 raw,
>
> /{,usr/}bin/ping mixr,
> /etc/modules.conf r,
>
> ^hat {
> /bin/hat r,
> /bin/bash px,
> }
>
> profile /subprofile {
> /bin/subprofile r,
> /bin/bash px,
> }
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/bin.ping>
> }
>
> Note that this patch is not covered by unittests, but it passed all my
> manual tests.
>
> [ 41-mergeprof-new-subprofiles.diff ]Acked-by: Steve Beattie <[email protected]>. Thanks! -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
