handle_children(): automatically add m permissions on ix rules

Since some kernel versions, inherit (ix) needs mmap permissions. Instead of annoying the user with an avoidable question after adding an ix rule, always add m permissions. Together with the already existing code, this means newly added inherit rules will now have 'mrix' permissions.
2025-09-01 23:05:11 +00:00 · 2017-12-03 14:39:46 +01:00
parent ca983811fb
commit 7a49f37c24
1 changed files with 2 additions and 2 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1191,8 +1191,8 @@ def handle_children(profile, hat, root):
                                    ans = 'INVALID'

                        if exec_mode and 'i' in exec_mode:
-                            # For inherit we need r
-                            file_perm = 'r'
+                            # For inherit we need mr
+                            file_perm = 'mr'
                        else:
                            if ans == 'CMD_DENY':
                                aa[profile][hat]['file'].add(FileRule(exec_target, None, 'x', FileRule.ALL, owner=False, log_event=True, deny=True))