[apparmor] [patch] Carry over all autodep-generated rules in handle_children()

Sun, 16 Jul 2017 12:48:29 -0700 

Hello,

when creating a new child profile, handle_children() did only copy over
include and path rules. While this was correct in the past, path rules
got changed to FileRule in the meantime and were therefore lost.
(In practise, this means the "$binary mr," rule wasn't added to the new
child profile, causing a "superfluous" question in aa-logprof.)

This patch changes handle_children() to carry over the complete new
child profile instead of only cherry-picking include and path rules.


I propose this patch for trunk and 2.11.
Older versions (with path as hasher) are not affected.


[ 01-handle_children-use-new-profile.diff ]

--- utils/apparmor/aa.py        2017-07-16 21:28:03.462623472 +0200
+++ utils/apparmor/aa.py        2017-07-16 21:34:08.093205307 +0200
@@ -1266,24 +1270,16 @@
                             if ynans == 'y':
                                 hat = exec_target
                                 if not aa[profile].get(hat, False):
-                                    aa[profile][hat] = ProfileStorage(profile, 
hat, 'handle_children()')
+                                    stub_profile = create_new_profile(hat, 
True)
+                                    aa[profile][hat] = stub_profile[hat][hat]
+
                                 aa[profile][hat]['profile'] = True
 
                                 if profile != hat:
                                     aa[profile][hat]['flags'] = 
aa[profile][profile]['flags']
 
-                                stub_profile = create_new_profile(hat, True)
-
                                 aa[profile][hat]['flags'] = 'complain'
 
-                                aa[profile][hat]['allow']['path'] = hasher()
-                                if stub_profile[hat][hat]['allow'].get('path', 
False):
-                                    aa[profile][hat]['allow']['path'] = 
stub_profile[hat][hat]['allow']['path']
-
-                                aa[profile][hat]['include'] = hasher()
-                                if stub_profile[hat][hat].get('include', 
False):
-                                    aa[profile][hat]['include'] = 
stub_profile[hat][hat]['include']
-
                                 file_name = aa[profile][profile]['filename']
                                 filelist[file_name]['profiles'][profile][hat] 
= True
 


Regards,

Christian Boltz
-- 
Sadly, the relationship between CSS and HTML is the same relationship
that links the instructions for building your IKEA bed, and the
unassembled, spiteful wooden planks that purportedly contain latent bed
structures.
[https://scholar.harvard.edu/files/mickens/files/towashitallaway.pdf]

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to