mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

Update change_profile rules to allow specifying the onexec condition

Browse Source 
Note: this patch currently overlays onexec with link_name to take
advantage of code already being used on link_name. Ideally what needs
to happen is entry needs to be split into file, link and change_profile
entry classes.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
John Johansen
2015-06-12 15:25:10 -07:00
parent 95cbbe32e0
commit 6707489cdc
4 changed files with 28 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
parser/parser_regex.c
View File

@@ -564,7 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
}
if (entry->mode & AA_CHANGE_PROFILE) {
const char *vec[3];
std::string lbuf;
std::string lbuf, xbuf;
int index = 1;
if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
@@ -575,8 +575,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
warn_change_profile = 0;
}
/* allow change_profile for all execs */
vec[0] = "/[^\\x00]*";
if (entry->onexec) {
ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
if (ptype == ePatternInvalid)
return FALSE;
vec[0] = xbuf.c_str();
} else
/* allow change_profile for all execs */
vec[0] = "/[^\\x00]*";
if (entry->ns) {
int pos;