mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

The upstream 2.6.36 version of apparmor doesn't support network rules.

Browse Source 
Add a flag to the parser controlling the output of network rules,
and warn per profile when network rules are not going to be enforced.
This commit is contained in:
John Johansen
2010-08-26 10:37:46 -07:00
parent 1f1a303457
commit 8762c1dcfb
3 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
parser/parser_interface.c
View File

@@ -639,7 +639,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
if (!sd_serialize_rlimits(p, &profile->rlimits))
return 0;
if (profile->network_allowed) {
if (profile->network_allowed && kernel_supports_network) {
size_t i;
if (!sd_write_array(p, "net_allowed_af", get_af_max()))
return 0;
@@ -655,7 +655,8 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
}
if (!sd_write_arrayend(p))
return 0;
}
} else if (profile->network_allowed)
pwarn(_("profile %s network rules not enforced\n"), profile->name);
/* either have a single dfa or lists of different entry types */
if (regex_type == AARE_DFA) {