From 7a49f37c2481f761f8304712aa380acddfdb6303 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 3 Dec 2017 14:39:46 +0100
Subject: [PATCH] handle_children(): automatically add m permissions on ix
 rules

Since some kernel versions, inherit (ix) needs mmap permissions. Instead
of annoying the user with an avoidable question after adding an ix rule,
always add m permissions.

Together with the already existing code, this means newly added inherit
rules will now have 'mrix' permissions.
---
 utils/apparmor/aa.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 674459727..1e7f4bba2 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1191,8 +1191,8 @@ def handle_children(profile, hat, root):
                                     ans = 'INVALID'
 
                         if exec_mode and 'i' in exec_mode:
-                            # For inherit we need r
-                            file_perm = 'r'
+                            # For inherit we need mr
+                            file_perm = 'mr'
                         else:
                             if ans == 'CMD_DENY':
                                 aa[profile][hat]['file'].add(FileRule(exec_target, None, 'x', FileRule.ALL, owner=False, log_event=True, deny=True))