Hello, according to a discussion with John on IRC, denied_mask="x" can only happen for 'exec' log events. This patch raises an exception if John is wrong ;-)
[ 75-x-but-not-exec-exception.diff ] === modified file ./utils/apparmor/aa.py --- utils/apparmor/aa.py 2016-02-21 15:43:58.021985441 +0100 +++ utils/apparmor/aa.py 2016-02-21 16:06:41.744595751 +0100 @@ -1210,6 +1210,8 @@ if mode & str_to_mode('x'): if os.path.isdir(exec_target): raise AppArmorBug('exec permissions requested for directory %s. This should not happen - please open a bugreport!' % exec_target) + elif typ != 'exec': + raise AppArmorBug('exec permissions requested for %i(exec_target)s, but mode is %(mode)s instead of exec. This should not happen - please open a bugreport!' % {'exec_target': exec_target, 'mode':mode}) else: do_execute = True Regards, Christian Boltz -- >Weil es sehr weit verbreitet ist, eingespielt und "überall drauf". Die weite Verbreitung ist allenfalls geeignet, die kaputte Syntax auszugleichen, ein Erfordernis also, kein Pluspunkt. [> Ratti und Thorsten Haude in suse-linux zur Frage "Warum procmail?"]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor