This patch updates the initial profile generation for python and ruby scripts to include the respective abstractions.
---
utils/Immunix/AppArmor.pm | 4 ++++
1 file changed, 4 insertions(+)
Index: b/utils/Immunix/AppArmor.pm
===================================================================
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -776,6 +776,10 @@ sub create_new_profile($) {
$profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
} elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
$profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
+ } elsif ($interpreter =~ m/python/) {
+ $profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
+ } elsif ($interpreter =~ m/ruby/) {
+ $profile->{$fqdbin}{include}->{"abstractions/ruby"} = 1;
}
handle_binfmt($profile->{$fqdbin}, $interpreter);
} else {
This patch fixes the profile autogeneration code to include read access
to the script itself for interpreted scripts.
---
utils/Immunix/AppArmor.pm | 2 ++
1 file changed, 2 insertions(+)
Index: b/utils/Immunix/AppArmor.pm
===================================================================
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -770,6 +770,8 @@ sub create_new_profile($) {
my $hashbang = head($fqdbin);
if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
my $interpreter = get_full_path($1);
+ $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |=
str_to_mode("r");
+ $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
$profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |=
str_to_mode("ix");
$profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
if ($interpreter =~ /perl/) {
--
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
