[apparmor] [patch 3/4] fix autodep profile construction

[Steve Beattie]

This patch fixes a couple of issue with autodep:

  1) The initial profile construction had not been adjusted to include
     the 'allow' or 'deny' hash prefixing the path elements. This
     fixes it by eliminating the path portion entirely and pushing
     the path based accesses to the later analysis section of code.

  2) the mode of the original binary was accidentally getting reset
     to 0, when it was intended to initialize the audit field to 0.

---
 utils/Immunix/AppArmor.pm |   27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

Index: b/utils/Immunix/AppArmor.pm
===================================================================
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -748,22 +748,12 @@ sub create_new_profile($) {
     my $fqdbin = shift;
 
     my $profile;
-    if ($fqdbin =~ /^\// ) {
-       $profile = {
-           $fqdbin => {
-               flags   => "complain",
-               include => { "abstractions/base" => 1    },
-               path    => { $fqdbin => { mode => str_to_mode("mr") } },
-           }
-       };
-    } else {
-       $profile = {
-           $fqdbin => {
-               flags   => "complain",
-               include => { "abstractions/base" => 1    },
-           }
-       };
-    }
+    $profile = {
+       $fqdbin => {
+           flags   => "complain",
+           include => { "abstractions/base" => 1    },
+       }
+    };
 
     # if the executable exists on this system, pull in extra dependencies
     if (-f $fqdbin) {
@@ -771,7 +761,7 @@ sub create_new_profile($) {
         if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
             my $interpreter = get_full_path($1);
             $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 
str_to_mode("r");
-            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{audit} |= 0;
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= 
str_to_mode("ix");
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
             if ($interpreter =~ /perl/) {
@@ -785,6 +775,8 @@ sub create_new_profile($) {
             }
             handle_binfmt($profile->{$fqdbin}, $interpreter);
         } else {
+          $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 
str_to_mode("mr");
+          $profile->{$fqdbin}{allow}{path}->{$fqdbin}{audit} |= 0;
           handle_binfmt($profile->{$fqdbin}, $fqdbin);
         }
     }
@@ -798,6 +790,7 @@ sub create_new_profile($) {
         }
     }
     push @created, $fqdbin;
+    $DEBUGGING && debug( Data::Dumper->Dump([$profile], [qw(*profile)]));
     return { $fqdbin => $profile };
 }
 


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor