This fix is needed for the userspace portion of both BugLink: http://bugs.launchpad.net/bugs/963756 BugLink: http://bugs.launchpad.net/bugs/978038
change_onexec fails for profiles that don't have an attachment specification eg. unconfined This is because change_onexec goes through 2 permission checks. The first at the api call point, which is a straight match of the profile name eg. /bin/foo unconfined and a second test at exec time, tying the profile to change to to the exec. This allows restricting the transition to specific execs. This is mapped as a two entry check /executable/name\x00profile_name where the executable name must be marked with the change_onexec permission and the subsequent profile name as well. The previous "fix" only covered adding onexec to executable names and also works for the initial change_onexec request when the profile is an executable. However it does not fix the case for when the profile being transitioned to is not an executable. Signed-off-by: John Johansen <john.johan...@canonical.com> --- parser/parser_regex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index c774372..0ba8114 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -525,7 +525,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) vec[index++] = tbuf; /* regular change_profile rule */ - if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index - 1, &vec[1], dfaflags)) + if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) return FALSE; /* onexec rules - both rules are needed for onexec */ if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, dfaflags)) -- 1.7.9.1 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor