Hello, Am Samstag, 19. März 2016, 11:55:09 CET schrieb Steve Beattie: > On Sun, Feb 21, 2016 at 03:00:06PM +0100, Christian Boltz wrote: > > exec choices are stored in transitions[], but that's never used > > (and I don't see a need for it), therefore stop storing it. > > > > > > [ 73-exec-transitions.diff ] > > > > === modified file 'utils/apparmor/aa.py' > > --- utils/apparmor/aa.py 2016-02-20 12:32:36 +0000 > > +++ utils/apparmor/aa.py 2016-02-21 13:50:24 +0000 > > @@ -1205,7 +1205,6 @@ > > > > context_new = context_new + '^%s' % hat > > > > context_new = context_new + ' -> %s' % > > exec_target > > > > - # ans_new = transitions.get(context_new, '') # > > XXX ans meant here?> > > combinedmode = set() > > combinedaudit = set() > > ## Check return Value Consistency > > > > @@ -1415,7 +1414,6 @@ > > > > exec_mode = exec_mode - > > (apparmor.aamode.AA_EXEC_U > > NSAFE | > > AA_OTHER(apparmor.aamode.A > > A_EXEC_UNSAFE))> > > > > else: > > ans = 'INVALID' > > > > - transitions[context_new] = ans > > > > regex_options = > > re.compile('CMD_(ix|px|cx|nx|pix|cix|nix)' > > ) > > > if regex_options.search(ans): > Are you sure about that? I see in handle_children(): > > > http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/ > utils/apparmor/aa.py#L1075 > > 1075 ans = transitions.get(context, 'XXXINVALIDXXX') > 1076 > 1077 while ans not in ['CMD_ADDHAT', 'CMD_USEDEFAULT', > 'CMD_DENY']: > > and transitions is a global hasher() object. > > But I've only looked at this cursorily, so don't claim any real > understanding of what's going on (or not going on) here.
'transitions' is currently used for storing two not-too-related things: The code you quoted is about hats, and it's looking for 'CMD_ADDHAT', 'CMD_USEDEFAULT' and 'CMD_DENY'. That part is useful and will stay. (Maybe we should rename 'transitions' to a better name (hat_choices?), but that's a cosmetic issue.) The code I want to remove stores the exec choice (CMD_ix, CMD_px etc.) - and that information isn't used anywhere (= storing it is superfluous). Instead, profile_known_exec() is used to check if we need to ask for adding an exec rule or if we already have one. Regards, Christian Boltz -- Möglicherweise laufe ich sogar mit fliegenden Fahnen von Gnome zu KDE über. Jedenfalls, bis sich das Gnome-Projekt dazu entschliesst, Nautilus durch /irgendwas/ zu ersetzen. Notfalls eine Parkuhr oder einen Bratenwender. Aber nicht dieses.... "Ding". [Ratti in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor