This patch updates the initial profile generation for python and ruby scripts to include the respective abstractions.
--- utils/Immunix/AppArmor.pm | 4 ++++ 1 file changed, 4 insertions(+) Index: b/utils/Immunix/AppArmor.pm =================================================================== --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -776,6 +776,10 @@ sub create_new_profile($) { $profile->{$fqdbin}{include}->{"abstractions/perl"} = 1; } elsif ($interpreter =~ m/\/bin\/(bash|sh)/) { $profile->{$fqdbin}{include}->{"abstractions/bash"} = 1; + } elsif ($interpreter =~ m/python/) { + $profile->{$fqdbin}{include}->{"abstractions/python"} = 1; + } elsif ($interpreter =~ m/ruby/) { + $profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1; } handle_binfmt($profile->{$fqdbin}, $interpreter); } else { This patch fixes the profile autogeneration code to include read access to the script itself for interpreted scripts. --- utils/Immunix/AppArmor.pm | 2 ++ 1 file changed, 2 insertions(+) Index: b/utils/Immunix/AppArmor.pm =================================================================== --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -770,6 +770,8 @@ sub create_new_profile($) { my $hashbang = head($fqdbin); if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) { my $interpreter = get_full_path($1); + $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r"); + $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0; $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix"); $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0; if ($interpreter =~ /perl/) { -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor