On 07/01/2012 03:02 PM, intrigeri wrote:
> tags 679597 + patch
> thanks
>
> Hi,
>
> John Johansen wrote (30 Jun 2012 07:30:20 GMT) :
>> Fix the parser so it checks for the presence of the network feature in the
>> compatibility interface. Previously it was assuming that if the compatibility
>> interface was present that network rules where also present, this is not
>> necessarily true and causes apparmor to break when only the compatibility
>> patch is applied.
>
> Thanks for this patch.
>
> It works fine for me with the current sid kernel
> (linux-image-3.2.0-3-amd64 3.2.21-3).
>
> However, on a kernel that both the compat + network patches applied
> (that is, not the current sid kernel), installing the apparmor
> userspace tools with this patch applied results in reloading all
> profiles (I guess this is normal postinst operation), which triggers
> tons of such error messages:
>
> Warning from /etc/apparmor.d/usr.bin.evince
> (/etc/apparmor.d/usr.bin.evince line 148): profile sanitized_helper
> network rules not enforced
>
> And then, it seems like the applications covered by these profile are
> denied access to the network entirely:
>
> type=1400 audit(1341176452.889:291): apparmor="DENIED"
> operation="create" parent=1 profile="/usr/sbin/ntpd" pid=6748
> comm="ntpd" family="inet" sock_type="dgram" protocol=0
>
> (I've not tried rebooting and see what happens, though.)
>
> So I'm not too sure the network feature detection was fixed entirely.
>
> But well, in any case, the patch fixes the actual, current bug,
> which is great!
>
Gah, yes I didn't test this patch in the case of a kernel without the
networking patch followed by a kernel with it.
What is happening is it is applying the check against both the kernel
and cached policy feature set, and turning off networking based on
what is stored in the cached policy. Which in turn causes it to generate
the new cache without networking support. The only way to fix this with
the original patch is to remove the cache and then regenerate it.
Sorry about that
The check just needs to be moved a little. The initial patch should be
reversed and the following patch should be applied. With the caveat that
I haven't had a chance to finish testing it yet. Though I should have
that done in a few hours.
=== modified file 'parser/parser_main.c'
--- parser/parser_main.c 2012-07-01 08:35:05 +0000
+++ parser/parser_main.c 2012-07-02 07:49:14 +0000
@@ -1187,7 +1182,12 @@
write_cache = 0;
skip_read_cache = 1;
return;
- }
+ } else if (strstr(flags_string, "network"))
+ kernel_supports_network = 1;
+ else
+ kernel_supports_network = 0;
+
+
/*
* Deal with cache directory versioning:
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
