[apparmor] [PATCH] aa-easyprof updates
Seth Arnold
seth.arnold at canonical.com
Fri Jul 5 20:08:49 UTC 2013
On Mon, Jul 01, 2013 at 05:15:07PM -0500, Jamie Strandboge wrote:
> + def set_template(self, template, allow_abs_path=True):
> '''Set current template'''
> self.template = template
> + if "../" in template:
> + raise AppArmorException('template "%s" contains "../" escape path' % (template))
> + if template.startswith('/'):
> + if not allow_abs_path:
> + raise AppArmorException("Cannot use an absolute path template '%s'" % template)
> + else:
> self.template = os.path.join(self.dirs['templates'], template)
> if not os.path.exists(self.template):
> raise AppArmorException('%s does not exist' % (self.template))
There's a race condition here; well, maybe not -race-, but self.template
is updated before the sanity checks are performed. If either of those
exceptions gets ignored in callers, the template is set to unsafe values.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130705/707edbce/attachment.pgp>
More information about the AppArmor
mailing list