So this fixes a nasty little bug that can surface in apparmor 2.8 when Hats/children profiles are used.
the matchflags in the dfa backend are not getting properly reset, which results in a previously processed profiles match flags being used. This is not a problem for most permissions but can result in x conflict errors. Note: this should not result in profiles with the wrong x transitions loaded as it causes compilation to file with an x conflict. This is a minimal patch targeted at the 2.8 release. As such I have just updated the delete_ruleset routine to clear the flags as it is already being properly called for every rule set. Apparmor 2.9/3.0 will have a different approach where it is not possible to reuse the flags. Signed-off-by: John Johansen <[email protected]> --- === modified file 'parser/libapparmor_re/aare_rules.cc' --- parser/libapparmor_re/aare_rules.cc 2012-03-09 12:17:47 +0000 +++ parser/libapparmor_re/aare_rules.cc 2012-12-09 09:54:32 +0000 @@ -57,6 +57,8 @@ if (rules->root) rules->root->release(); free(rules); + + aare_reset_matchflags(); } } -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
