mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
Update change_profile rules to allow specifying the onexec condition
Note: this patch currently overlays onexec with link_name to take advantage of code already being used on link_name. Ideally what needs to happen is entry needs to be split into file, link and change_profile entry classes. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
@@ -564,7 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
||||
}
|
||||
if (entry->mode & AA_CHANGE_PROFILE) {
|
||||
const char *vec[3];
|
||||
std::string lbuf;
|
||||
std::string lbuf, xbuf;
|
||||
int index = 1;
|
||||
|
||||
if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
|
||||
@@ -575,8 +575,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
||||
warn_change_profile = 0;
|
||||
}
|
||||
|
||||
/* allow change_profile for all execs */
|
||||
vec[0] = "/[^\\x00]*";
|
||||
if (entry->onexec) {
|
||||
ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
|
||||
if (ptype == ePatternInvalid)
|
||||
return FALSE;
|
||||
vec[0] = xbuf.c_str();
|
||||
} else
|
||||
/* allow change_profile for all execs */
|
||||
vec[0] = "/[^\\x00]*";
|
||||
|
||||
if (entry->ns) {
|
||||
int pos;
|
||||
|
Reference in New Issue
Block a user