mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 23:35:37 +00:00
Code Issues Releases Wiki Activity

add support for set capability

Browse Source
This commit is contained in:
John Johansen
2008-04-18 21:08:34 +00:00
parent 94c795aa52
commit ad996cec9c
1 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
utils/SubDomain.pm
View File

@@ -3011,7 +3011,7 @@ sub ask_the_questions {
$deleted)) if $deleted; $deleted)) if $deleted;
} }
# stick the capability into the profile # stick the capability into the profile
$sd{$profile}{$hat}{allow}{capability}{$capability} = 1; $sd{$profile}{$hat}{allow}{capability}{$capability}{set} = 1;
# mark this profile as changed # mark this profile as changed
$changed{$profile} = 1; $changed{$profile} = 1;
@@ -3019,7 +3019,7 @@ sub ask_the_questions {
# give a little feedback to the user # give a little feedback to the user
UI_Info(sprintf(gettext('Adding capability %s to profile.'), $capability)); UI_Info(sprintf(gettext('Adding capability %s to profile.'), $capability));
} elsif ($ans eq "CMD_DENY") { } elsif ($ans eq "CMD_DENY") {
$sd{$profile}{$hat}{deny}{capability}{$capability} = 1; $sd{$profile}{$hat}{deny}{capability}{$capability}{set} = 1;
# mark this profile as changed # mark this profile as changed
$changed{$profile} = 1; $changed{$profile} = 1;
UI_Info(sprintf(gettext('Denying capability %s to profile.'), $capability)); UI_Info(sprintf(gettext('Denying capability %s to profile.'), $capability));
@@ -3608,8 +3608,8 @@ sub matchcapincludes (\%$) {
next if ($includevalid == 0); next if ($includevalid == 0);
push @newincludes, $incname push @newincludes, $incname
if ( defined $include{$incname}{allow}{capability}{$cap} && if ( defined $include{$incname}{allow}{capability}{$cap}{set} &&
$include{$incname}{allow}{capability}{$cap} == 1 ); $include{$incname}{allow}{capability}{$cap}{set} == 1 );
} }
return @newincludes; return @newincludes;
} }
@@ -3968,7 +3968,7 @@ sub collapselog () {
# if we don't already have this capability in the profile, # if we don't already have this capability in the profile,
# add it # add it
unless ($sd{$profile}{$hat}{allow}{capability}{$capability}) { unless ($sd{$profile}{$hat}{allow}{capability}{$capability}{set}) {
$log{$sdmode}{$profile}{$hat}{capability}{$capability} = 1; $log{$sdmode}{$profile}{$hat}{capability}{$capability} = 1;
} }
} }
@@ -4338,7 +4338,7 @@ sub parse_profile_data {
my $allow = 'allow'; my $allow = 'allow';
$allow = 'deny' if ($1); $allow = 'deny' if ($1);
my $capability = $2; my $capability = $2;
$profile_data->{$profile}{$hat}{$allow}{capability}{$capability} = 1; $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1;
} elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry
if (not $profile) { if (not $profile) {
die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
@@ -5124,11 +5124,11 @@ sub profile_known_exec (\%$$) {
sub profile_known_capability (\%$) { sub profile_known_capability (\%$) {
my ($profile, $capname) = @_; my ($profile, $capname) = @_;
return -1 if $profile->{deny}{capability}{$capname}; return -1 if $profile->{deny}{capability}{$capname}{set};
return 1 if $profile->{allow}{capability}{$capname}; return 1 if $profile->{allow}{capability}{$capname}{set};
for my $incname ( keys %{$profile->{include}} ) { for my $incname ( keys %{$profile->{include}} ) {
return -1 if $include{$incname}{deny}{capability}{$capname}; return -1 if $include{$incname}{deny}{capability}{$capname}{set};
return 1 if $include{$incname}{allow}{capability}{$capname}; return 1 if $include{$incname}{allow}{capability}{$capname}{set};
} }
return 0; return 0;
} }
@@ -5258,7 +5258,7 @@ sub loadinclude {
} elsif (/^\s*capability\s+(.+)\s*,\s*$/) { } elsif (/^\s*capability\s+(.+)\s*,\s*$/) {
my $capability = $1; my $capability = $1;
$include{$incfile}{allow}{capability}{$capability} = 1; $include{$incfile}{allow}{capability}{$capability}{set} = 1;
} elsif (/^\s*#include <(.+)>\s*$/) { } elsif (/^\s*#include <(.+)>\s*$/) {
# include stuff # include stuff