a535402f17
Accepted submit request 59064 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/59064 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=5
59 lines
1.7 KiB
Plaintext
59 lines
1.7 KiB
Plaintext
From: Jeff Mahoney <jeffm@suse.com>
|
|
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
|
|
References: bnc#496204
|
|
|
|
When creating profiles with cx subprofiles, genprof will set the
|
|
sub-profile in enforce mode. When genprof cycles multiple times, it
|
|
prohibits the sub-profile from working correctly.
|
|
|
|
e.g.
|
|
|
|
# Last Modified: Mon Jan 24 13:52:26 2011
|
|
#include <tunables/global>
|
|
|
|
/home/jeffm/mycat flags=(complain) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/bash>
|
|
#include <abstractions/consoles>
|
|
|
|
/bin/bash ix,
|
|
/bin/cat cx,
|
|
/home/jeffm/mycat r,
|
|
|
|
profile /bin/cat {
|
|
#include <abstractions/base>
|
|
|
|
/bin/cat r,
|
|
/home/jeffm/mycat r,
|
|
|
|
}
|
|
}
|
|
|
|
This patch allows sub-profiles to inherit the flags from the parent
|
|
profile, which allows it to be created in complain mode (if appropriate).
|
|
The temporary complain flags are cleaned up at genprof completion as
|
|
expected.
|
|
|
|
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
|
|
|
|
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
utils/SubDomain.pm | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
--- a/utils/SubDomain.pm
|
|
+++ b/utils/SubDomain.pm
|
|
@@ -2337,6 +2337,12 @@ sub handlechildren {
|
|
# we have seen more than a declaration so clear it
|
|
$sd{$profile}{$hat}{'declared'} = 0;
|
|
$sd{$profile}{$hat}{profile} = 1;
|
|
+
|
|
+ # Otherwise sub-profiles end up getting
|
|
+ # put in enforce mode with genprof
|
|
+ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
|
|
+
|
|
+ $sd{$profile}{$hat}{flags} = 'complain';
|
|
$sd{$profile}{$hat}{allow}{path} = { };
|
|
$sd{$profile}{$hat}{allow}{netdomain} = { };
|
|
my $file = $sd{$profile}{$profile}{filename};
|