mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-04 16:25:10 +00:00
Modified code to check the repository for new profile when:
- processing an unknown hat/execute rejection if its not already in the profile - at the start of processing all the remain events for the profile Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328707
This commit is contained in:
Dominic Reynolds
@@ -1395,6 +1395,12 @@ sub handlechildren {
|
|||||||
$hat = $uhat;
|
$hat = $uhat;
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
|
my $new_p = fetch_newer_repo_profile($profile);
|
||||||
|
if ( UI_SelectUpdatedRepoProfile($profile, $new_p) and
|
||||||
|
$sd{$profile}{$uhat} ) {
|
||||||
|
$hat = $uhat;
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
|
||||||
# figure out what our default hat for this application is.
|
# figure out what our default hat for this application is.
|
||||||
my $defaulthat;
|
my $defaulthat;
|
||||||
@@ -1520,7 +1526,16 @@ sub handlechildren {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($do_execute) {
|
if ($do_execute) {
|
||||||
|
next if ( profile_exec_access_check( $profile,
|
||||||
|
$hat,
|
||||||
|
"exec",
|
||||||
|
$exec_target ) );
|
||||||
|
my $p = fetch_newer_repo_profile($profile);
|
||||||
|
next if ( UI_SelectUpdatedRepoProfile($profile, $p) and
|
||||||
|
profile_exec_access_check( $profile,
|
||||||
|
$hat,
|
||||||
|
"exec",
|
||||||
|
$exec_target ) );
|
||||||
my $context = $profile;
|
my $context = $profile;
|
||||||
$context .= "^$hat" if $profile ne $hat;
|
$context .= "^$hat" if $profile ne $hat;
|
||||||
$context .= " -> $exec_target";
|
$context .= " -> $exec_target";
|
||||||
@@ -2309,17 +2324,16 @@ sub get_repo_profiles_for_user {
|
|||||||
return $p_hash;
|
return $p_hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub check_repo_for_newer {
|
sub fetch_newer_repo_profile {
|
||||||
my $profile = shift;
|
my $profile = shift;
|
||||||
|
|
||||||
my $distro = $cfg->{repository}{distro};
|
my $distro = $cfg->{repository}{distro};
|
||||||
my $url = $sd{$profile}{$profile}{repo}{url};
|
my $url = $sd{$profile}{$profile}{repo}{url};
|
||||||
my $user = $sd{$profile}{$profile}{repo}{user};
|
my $user = $sd{$profile}{$profile}{repo}{user};
|
||||||
my $id = $sd{$profile}{$profile}{repo}{id};
|
my $id = $sd{$profile}{$profile}{repo}{id};
|
||||||
|
|
||||||
return unless ($distro && $url && $user && $id);
|
|
||||||
|
|
||||||
my $p;
|
my $p;
|
||||||
|
|
||||||
|
return undef unless ($distro && $url && $user && $id);
|
||||||
if ($repo_client) {
|
if ($repo_client) {
|
||||||
UI_BusyStart( gettext("Connecting to repository.....") );
|
UI_BusyStart( gettext("Connecting to repository.....") );
|
||||||
my $res =
|
my $res =
|
||||||
@@ -2336,6 +2350,17 @@ sub check_repo_for_newer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return $p;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub UI_SelectUpdatedRepoProfile ($$) {
|
||||||
|
|
||||||
|
my ($profile, $p) = @_;
|
||||||
|
my $distro = $cfg->{repository}{distro};
|
||||||
|
my $url = $sd{$profile}{$profile}{repo}{url};
|
||||||
|
my $user = $sd{$profile}{$profile}{repo}{user};
|
||||||
|
my $id = $sd{$profile}{$profile}{repo}{id};
|
||||||
|
my $updated = 0;
|
||||||
|
|
||||||
if ($p) {
|
if ($p) {
|
||||||
my $q = { };
|
my $q = { };
|
||||||
@@ -2385,9 +2410,12 @@ sub check_repo_for_newer {
|
|||||||
|
|
||||||
if ($@) {
|
if ($@) {
|
||||||
UI_Info(gettext("Error parsing repository profile."));
|
UI_Info(gettext("Error parsing repository profile."));
|
||||||
|
} else {
|
||||||
|
$updated = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return $updated;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub ask_the_questions {
|
sub ask_the_questions {
|
||||||
@@ -2409,7 +2437,8 @@ sub ask_the_questions {
|
|||||||
|
|
||||||
for my $profile (sort keys %{ $log{$sdmode} }) {
|
for my $profile (sort keys %{ $log{$sdmode} }) {
|
||||||
|
|
||||||
check_repo_for_newer($profile);
|
my $p = fetch_newer_repo_profile($profile);
|
||||||
|
UI_SelectUpdatedRepoProfile($profile, $p) if ( $p );
|
||||||
|
|
||||||
$found++;
|
$found++;
|
||||||
|
|
||||||
@@ -4639,6 +4668,31 @@ sub matchliteral {
|
|||||||
return $matches;
|
return $matches;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub profile_exec_access_check ($$$$) {
|
||||||
|
my ($profile, $hat, $type, $exec_target) = @_;
|
||||||
|
if ( $type eq "exec" ) {
|
||||||
|
my ($combinedmode, $cm, @m);
|
||||||
|
|
||||||
|
# does path match any regexps in original profile?
|
||||||
|
($cm, @m) = rematchfrag($sd{$profile}{$hat}, $exec_target);
|
||||||
|
$combinedmode .= $cm if $cm;
|
||||||
|
|
||||||
|
# does path match anything pulled in by includes in
|
||||||
|
# original profile?
|
||||||
|
($cm, @m) = matchpathincludes($sd{$profile}{$hat}, $exec_target);
|
||||||
|
$combinedmode .= $cm if $cm;
|
||||||
|
|
||||||
|
if (contains($combinedmode, "ix") ||
|
||||||
|
contains($combinedmode, "px") ||
|
||||||
|
contains($combinedmode, "ux") ||
|
||||||
|
contains($combinedmode, "Px") ||
|
||||||
|
contains($combinedmode, "Ux")) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
sub profile_capability_access_check ($$$) {
|
sub profile_capability_access_check ($$$) {
|
||||||
my ($profile, $hat, $capname) = @_;
|
my ($profile, $hat, $capname) = @_;
|
||||||
for my $incname ( keys %{$sd{$profile}{$hat}{include}} ) {
|
for my $incname ( keys %{$sd{$profile}{$hat}{include}} ) {
|
||||||
|
|||||||
Reference in New Issue
Block a user