diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl index 00e31fc96..91941634b 100755 --- a/tests/regression/apparmor/mkprofile.pl +++ b/tests/regression/apparmor/mkprofile.pl @@ -32,7 +32,7 @@ sub usage { print STDERR " help: print this message\n"; } -&usage && exit 0 if ($help || @ARGV < 1); +&usage && exit 0 if ($help || @ARGV < 1); sub emit_netdomain { my $rule = shift; @@ -95,13 +95,17 @@ sub emit_hat { (!$nowarn) && print STDERR "Warning: invalid hat description '$rule', ignored\n"; } else { $hat = $rules[1]; - $output_rules{$hat} = ( ); + # give every profile/hat access to change_hat + @{$output_rules{$hat}} = ( " /proc/*/attr/current w,\n",); } } my $bin = shift @ARGV; !(-e $bin || $nowarn) && print STDERR "Warning: execname '$bin': no such file or directory\n"; +# give every profile/hat access to change_hat +emit_file("/proc/*/attr/current:w"); + for my $rule (@ARGV) { #($fn, @rules) = split (/:/, $rule); if ($rule =~ /^(tcp|udp)/) { diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc index 9c6aa0cdc..adde4681c 100755 --- a/tests/regression/apparmor/prologue.inc +++ b/tests/regression/apparmor/prologue.inc @@ -433,9 +433,7 @@ fi ;; esac - #give every profile/hat access to change_hat - args[0]="/proc/*/attr/current:w" - num_args=1 + num_args=0 while [ $# -gt 0 ] do arg="$1" @@ -447,15 +445,8 @@ fi eval emit_profile \"$imagename\" \"$imageperm\" \ $(for i in $(seq 0 $((${num_args} - 1))) ; do echo \"\${args[${i}]}\" ; done) num_emitted=$((num_emitted + 1)) - #give every profile/hat access to change_hat - args[0]="/proc/*/attr/current:w" - num_args=1 + num_args=0 continue 2 - elif [ ${arg:0:4} == "hat:" ] ; then - args[${num_args}]=${arg} - num_args=$(($num_args + 1)) - args[${num_args}]="/proc/*/attr/current:w" - num_args=$(($num_args + 1)) else args[${num_args}]=${arg} num_args=$(($num_args + 1))