From 0a26ce3acdc34b71d3a1b940cf4ab5c9590c1fae Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Thu, 28 Dec 2023 23:29:09 +0100 Subject: [PATCH] ask_exec(): no longer skip exec events in hats Instead of ignoring all exec events that happen in a hat/child profile, only disallow child exec. ix and px are valid options inside a hat and are now offered to the user. (When the tools support nested child profiles one day, we can even allow child exec again.) Backported from dfb6f90aee9eb406caf5f75355be5a4bd2a4ecbc / https://gitlab.com/apparmor/apparmor/-/merge_requests/1133 to match the 3.1 branch (cherry picked from commit 0e70ad9b7c50b3d8d0cb5a53ac69a32eba364aa0) --- utils/apparmor/aa.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 8ed94dbdd..8fefbe7d1 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -813,11 +813,6 @@ def ask_exec(hashlog): for aamode in hashlog: for full_profile in hashlog[aamode]: - if '//' in hashlog[aamode][full_profile]['final_name'] and hashlog[aamode][full_profile]['exec'].keys(): - # TODO: is this really needed? Or would removing Cx from the options be good enough? - aaui.UI_Important('WARNING: Ignoring exec event in %s, nested profiles are not supported yet.' % hashlog[aamode][full_profile]['final_name']) - continue - profile, hat = split_name(full_profile) # XXX temporary solution to avoid breaking the existing code for exec_target in hashlog[aamode][full_profile]['exec']: @@ -848,7 +843,9 @@ def ask_exec(hashlog): ##options = 'i' # Don't allow hats to cx? - options.replace('c', '') + if '//' in hashlog[aamode][full_profile]['final_name'] and hashlog[aamode][full_profile]['exec'].keys(): + options = options.replace('c', '') + # Add deny to options options += 'd' # Define the default option