Maybe, the parser currently clears deny bit once it has subtracted any allows from the state. I need to double check the dfa-states dump but I believe it is post clearing of the deny bits. It does this because the permission interface to the kernel does not currently track explicit denies. Since the information is not being used by the kernel the parser is throwing it away early in hopes of being able to reduce more states. The mask to be looking at is the quiet mask, which is cleared too.
what is the output with -D expr-tree -D node-map -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1226356 Title: explicit deny rules do not silence logging denials To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1226356/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
