Re: [apparmor] [patch] Carry over all autodep-generated rules in handle_children()

Wed, 02 Aug 2017 01:03:11 -0700 

On Sun, Jul 16, 2017 at 09:47:50PM +0200, Christian Boltz wrote:
> when creating a new child profile, handle_children() did only copy over
> include and path rules. While this was correct in the past, path rules
> got changed to FileRule in the meantime and were therefore lost.
> (In practise, this means the "$binary mr," rule wasn't added to the new
> child profile, causing a "superfluous" question in aa-logprof.)
> 
> This patch changes handle_children() to carry over the complete new
> child profile instead of only cherry-picking include and path rules.
> 
> 
> I propose this patch for trunk and 2.11.
> Older versions (with path as hasher) are not affected.
> 
> [ 01-handle_children-use-new-profile.diff ]

Acked-by: Steve Beattie <[email protected]> for both. Thanks!

> --- utils/apparmor/aa.py        2017-07-16 21:28:03.462623472 +0200
> +++ utils/apparmor/aa.py        2017-07-16 21:34:08.093205307 +0200
> @@ -1266,24 +1270,16 @@
>                              if ynans == 'y':
>                                  hat = exec_target
>                                  if not aa[profile].get(hat, False):
> -                                    aa[profile][hat] = 
> ProfileStorage(profile, hat, 'handle_children()')
> +                                    stub_profile = create_new_profile(hat, 
> True)
> +                                    aa[profile][hat] = stub_profile[hat][hat]
> +
>                                  aa[profile][hat]['profile'] = True
>  
>                                  if profile != hat:
>                                      aa[profile][hat]['flags'] = 
> aa[profile][profile]['flags']
>  
> -                                stub_profile = create_new_profile(hat, True)
> -
>                                  aa[profile][hat]['flags'] = 'complain'
>  
> -                                aa[profile][hat]['allow']['path'] = hasher()
> -                                if 
> stub_profile[hat][hat]['allow'].get('path', False):
> -                                    aa[profile][hat]['allow']['path'] = 
> stub_profile[hat][hat]['allow']['path']
> -
> -                                aa[profile][hat]['include'] = hasher()
> -                                if stub_profile[hat][hat].get('include', 
> False):
> -                                    aa[profile][hat]['include'] = 
> stub_profile[hat][hat]['include']
> -
>                                  file_name = aa[profile][profile]['filename']
>                                  
> filelist[file_name]['profiles'][profile][hat] = True
>  
> 

-- 
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to