[apparmor] [PATCH] utils: Handle the safe/unsafe change_profile exec modes
Seth Arnold
seth.arnold at canonical.com
Mon Jun 27 17:48:43 UTC 2016
On Sat, Jun 25, 2016 at 03:59:06PM -0500, Tyler Hicks wrote:
> https://launchpad.net/bugs/1584069
>
> This patch adds support for the safe and unsafe exec modes for
> change_profile rules. The logic is pretty simple at this point because
> the kernel's default for exec modes changed in newer versions.
> Therefore, this patch simply retains any specified exec mode in parsed
> rules. If an exec mode is not specified in a rule, there is no attempt
> to force the usage of "safe" because older kernels do not support it.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
> def is_covered_localvars(self, other_rule):
> '''check if other_rule is covered by this rule object'''
>
> + if self.execmode != other_rule.execmode:
> + return False
> +
> if not self._is_covered_plain(self.execcond, self.all_execconds, other_rule.execcond, other_rule.all_execconds, 'exec condition'):
> # TODO: honor globbing and variables
> return False
One quick note that this isn't strictly true -- the absense of execmode in
one will cover the 'unsafe' in the other, but handling this case may break
the "no attemp to force the usage" case.
It might be worth a TODO or something to remind us.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160627/c2bf0cea/attachment.pgp>
More information about the AppArmor
mailing list