Update permission mapping for changes made to the upstream kernel patch.

The changes are around how user data is handled. 1. permissions are mapped before data is matched 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions which allows data matching to continue. 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set This allows better control over matching and auditing of data which can be binary and should not be matched or audited Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Fix the bare file rule so that it grants access to to root
2025-09-02 23:35:37 +00:00 · 2012-03-15 12:54:34 -07:00 · 2012-03-15 12:16:56 -07:00 · 2012-03-15 12:14:15 -07:00 · 2012-03-15 12:10:35 -07:00 · 2012-03-15 09:03:48 -07:00
7 changed files with 133 additions and 56 deletions
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.7.99
+2.7.100
--- a/parser/mount.c
+++ b/parser/mount.c
@@ -416,8 +416,8 @@ struct mnt_entry *new_mnt_entry(struct cond_entry *src_conds, char *device,
 			ent->inv_flags = 0;
 		} else if (!(ent->flags | ent->inv_flags)) {
 			/* no flag options, and not remount, allow everything */
-			ent->flags = 0xffffffff;
-			ent->inv_flags = 0xffffffff;
+			ent->flags = MS_ALL_FLAGS;
+			ent->inv_flags = MS_ALL_FLAGS;
 		}

 		ent->allow = allow;
--- a/parser/mount.h
+++ b/parser/mount.h
@@ -103,8 +103,10 @@
 #define AA_MAY_PIVOTROOT 1
 #define AA_MAY_MOUNT 2
 #define AA_MAY_UMOUNT 4
-#define AA_DUMMY_REMOUNT 32	/* dummy perm for remount rule - is remapped
-				 * to a mount option*/
+#define AA_MATCH_CONT 0x40
+#define AA_AUDIT_MNT_DATA AA_MATCH_CONT
+#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
+					 * remapped to a mount option*/


 struct mnt_entry {
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -83,7 +83,7 @@ static struct keyword_table keyword_table[] = {
 	{"remount",		TOK_REMOUNT},
 	{"umount",		TOK_UMOUNT},
 	{"unmount",		TOK_UMOUNT},
-	{"pivotroot",		TOK_PIVOTROOT},
+	{"pivot_root",		TOK_PIVOTROOT},
 	/* terminate */
 	{NULL, 0}
 };
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -692,7 +692,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 	char *p = buffer;
 	int i, len = 0;

-	if (flags == 0xffffffff) {
+	if (flags == MS_ALL_FLAGS) {
 		/* all flags are optional */
 		len = snprintf(p, size, "[^\\000]*");
 		if (len < 0 || len >= size)
@@ -704,7 +704,8 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 			len = snprintf(p, size, "(\\x%02x|)", i + 1);
 		else if (flags & (1 << i))
 			len = snprintf(p, size, "\\x%02x", i + 1);
-		/* else     no entry = not set */
+		else	/* no entry = not set */
+			continue;

 		if (len < 0 || len >= size)
 			return FALSE;
@@ -712,6 +713,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		size -= len;
 	}

+	/* this needs to go once the backend is updated. */
 	if (buffer == p) {
 		/* match nothing - use impossible 254 as regex parser doesn't
 		 * like the empty string
@@ -719,7 +721,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		if (size < 9)
 			return FALSE;

-		strcpy(p, "(\\0xfe|)");
+		strcpy(p, "(\\xfe|)");
 	}

 	return TRUE;
@@ -774,6 +776,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 	char optsbuf[PATH_MAX + 3];
 	char *p, *vec[5];
 	int count = 0;
+	unsigned int flags, inv_flags;

 	/* a single mount rule may result in multiple matching rules being
 	 * created in the backend to cover all the possible choices
@@ -781,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)

 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
 	    && !entry->device && !entry->dev_type) {
+		int allow;
 		/* remount can't be conditional on device and type */
 		p = mntbuf;
 		/* rule class single byte header */
@@ -801,18 +805,43 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		vec[1] = devbuf;
 		/* skip type */
 		vec[2] = devbuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_REMOUNT_FLAGS,
-				     entry->inv_flags & MS_REMOUNT_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_REMOUNT_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_REMOUNT_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
 			goto fail;
-		vec[4] = optsbuf;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
-				       entry->audit, 5, vec, dfaflags))
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
 	    && !entry->dev_type && !entry->opts) {
@@ -829,9 +858,14 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!convert_entry(typebuf, PATH_MAX +3, NULL))
 			goto fail;
 		vec[2] = typebuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_BIND_FLAGS,
-				     entry->inv_flags & MS_BIND_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_BIND_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_BIND_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
@@ -856,9 +890,14 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 			goto fail;
 		vec[1] = devbuf;
 		vec[2] = devbuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_MAKE_FLAGS,
-				     entry->inv_flags & MS_MAKE_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_MAKE_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_MAKE_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
@@ -884,9 +923,14 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!convert_entry(typebuf, PATH_MAX +3, NULL))
 			goto fail;
 		vec[2] = typebuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_MOVE_FLAGS,
-				     entry->inv_flags & MS_MOVE_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_MOVE_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_MOVE_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
@@ -896,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 	}
 	if ((entry->allow & AA_MAY_MOUNT) &&
 	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
+		int allow;
 		/* generic mount if flags are set that are not covered by
 		 * above commands
 		 */
@@ -911,18 +956,41 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!build_list_val_expr(typebuf, PATH_MAX+2, entry->dev_type))
 			goto fail;
 		vec[2] = typebuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & ~MS_CMDS,
-				     entry->inv_flags & ~MS_CMDS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= ~MS_CMDS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= ~MS_CMDS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
-			goto fail;
-		vec[4] = optsbuf;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
-				       entry->audit, 5, vec, dfaflags))
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if (entry->allow & AA_MAY_UMOUNT) {
 		p = mntbuf;
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -435,10 +435,6 @@ flagvals:	flagvals flagval
 		    (PATH_CHROOT_REL | PATH_NS_REL))
 			yyerror(_("Profile flag chroot_relative conflicts with namespace_relative"));

-		if (!($1.path & PATH_NS_REL))
-			/* default to chroot relative profiles */
-			$1.path |= PATH_CHROOT_REL;
-
 		if (($1.path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) ==
 		    (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))
 			yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted"));
@@ -963,7 +959,7 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE

 file_rule: TOK_FILE TOK_END_OF_RULE
 	{
-		char *path = strdup("/**");
+		char *path = strdup("/{**,}");
 		int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
 			     (AA_EXEC_INHERIT | AA_MAY_EXEC));
 		/* duplicate to other permission set */
@@ -1116,14 +1112,23 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
 		$$ = do_mnt_rule($2, NULL, NULL, $3, AA_MAY_UMOUNT);
 	}

-mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_END_OF_RULE
+mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
 	{
-		$$ = do_pivot_rule($2, $3, NULL);
-	}
+		char *name = NULL;
+		if ($4.present && $4.namespace) {
+			name = malloc(strlen($4.namespace) +
+				      strlen($4.name) + 3);
+			if (!name) {
+				PERROR("Memory allocation error\n");
+				exit(1);
+			}
+			sprintf(name, ":%s:%s", $4.namespace, $4.name);
+			free($4.namespace);
+			free($4.name);
+		} else if ($4.present)
+			name = $4.name;

-mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE
-	{
-		$$ = do_pivot_rule($2, $3, $5);
+		$$ = do_pivot_rule($2, $3, name);
 	}

 hat_start: TOK_CARET {}
@@ -1315,18 +1320,20 @@ struct mnt_entry *do_pivot_rule(struct cond_entry *old, char *root,
 				char *transition)
 {
 	struct mnt_entry *ent = NULL;
-
+	char *device = NULL;
 	if (old) {
 		if (strcmp(old->name, "oldroot") != 0)
 			yyerror(_("invalid pivotroot conditional '%s'"), old->name);
+		if (old->vals) {
+			device = old->vals->value;
+			old->vals->value = NULL;
+		}
+		free_cond_entry(old);
 	}

-	ent = new_mnt_entry(NULL, old->vals->value, NULL, root,
+	ent = new_mnt_entry(NULL, device, NULL, root,
 			    AA_MAY_PIVOTROOT);
 	ent->trans = transition;

-	old->vals->value = NULL;
-	free_cond_entry(old);
-
 	return ent;
 }
--- a/parser/tst/minimize.sh
+++ b/parser/tst/minimize.sh
@@ -75,7 +75,7 @@
 # {a} (0x 40030/0/0/0)

 echo -n "Minimize profiles basic perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -90,7 +90,7 @@ echo "ok"
 # {9} (0x 12804a/0/2800a/0)
 # {c} (0x 40030/0/0/0)
 echo -n "Minimize profiles audit perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -109,7 +109,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)

 echo -n "Minimize profiles deny perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -127,7 +127,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)

 echo -n "Minimize profiles audit deny perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -159,7 +159,7 @@ echo "ok"
 #

 echo -n "Minimize profiles xtrans "
-if [ `echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 3 ] ; then
+if [ `echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 3 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -167,7 +167,7 @@ echo "ok"

 # same test as above + audit
 echo -n "Minimize profiles audit xtrans "
-if [ `echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 3 ] ; then
+if [ `echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 3 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -180,7 +180,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/14005)

 echo -n "Minimize profiles deny xtrans "
-if [ `echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 1 ] ; then
+if [ `echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 1 ] ; then
    echo "failed"
    exit 1;
 fi
@@ -192,7 +192,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/0)

 echo -n "Minimize profiles audit deny xtrans "
-if [ `echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 1 ] ; then
+if [ `echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 1 ] ; then
    echo "failed"
    exit 1;
 fi
Author	SHA1	Message	Date
John Johansen	c50858a877	Update permission mapping for changes made to the upstream kernel patch. The changes are around how user data is handled. 1. permissions are mapped before data is matched 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions which allows data matching to continue. 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set This allows better control over matching and auditing of data which can be binary and should not be matched or audited Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-15 12:54:34 -07:00
John Johansen	a11efe838a	Fix the bare file rule so that it grants access to to root file, should grant access to all files paths on the system but it does not currently allow access to / Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-15 12:16:56 -07:00
John Johansen	d6dc04d737	Fix pivot_root to support named transitions correctly Rename the pivotroot rule to pivot_root to match the command and the fn and fix it to support named transition correctly leveraging the parsing action used for exec transitions. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-15 12:14:15 -07:00
John Johansen	feeea88a58	Fix the case where no flags match Currently the backend doesn't like it (blows up) when the a vector entry is empty. For the case where no flags match build_mnt_flags generates an alternation of an impossible entry and nothing (impossible\|) This provides the effect of a null entry without having an empty vector entry. Unfortunately the impossible entry is not correct. Note: how this is done needs to be changed and fixed in the next release this is just a minimal patch to get it working for 2.8 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-15 12:10:35 -07:00
John Johansen	36d44a3b25	Fix the mount flags set generated by the parser When generating the flag set the parser was not generating the complete set when flags where not consecutive. This is because the len value was not being reset for each flag considered, so once it was set for a flag, then the next flag would have to be set to reset it else the output string was still incremented by the old len value. Eg. echo "/t { mount options=rbind, }" \| apparmor_parser -QT -D rule-exprs results in rule: \x07[^\000]\x00[^\000]\x00[^\000]\x00\x0d -> however \x0d only covers the bind and not the recursive flag This is fixed by adding a continue to the flags generation loop for the else case. resulting the dump from above generating rule: \x07[^\000]\x00[^\000]\x00[^\000]\x00\x0d\x0f -> \x0d\x0f covers both of the required flags Also fix the flags output to allow for the allow any flags case. This was being screened out. By masking the flags even when no flags where specified. this results in a difference of echo "/t { mount, }" \| apparmor_parser -QT -D rule-exprs rule: \x07[^\000]\x00[^\000]\x00[^\000]\x00(\x01\|)(\x02\|)(\x03\|)(\x04\|)(\x05\|)\x00[^\000] becoming \x07[^\000]\x00[^\000]\x00[^\000]\x00[^\000]\x00[^\000]* which is simplified and covers all permissions vs. the first rule output Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-15 09:03:48 -07:00
John Johansen	fc5f4dc86f	Revert commit: -r 1955 Default profiles to be chroot relative This commit causes policy problems because we do not have chroot rules and policy extension to support it. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>	2012-03-15 08:59:56 -07:00
John Johansen	59c0bb0f46	Fix minimize.sh test to screen out more parser error messages by grepping closer to the expected -O dfa-states output	2012-03-09 06:48:03 -08:00
John Johansen	fae11e12cf	Mark the minimize test as executable	2012-03-09 05:54:54 -08:00
John Johansen	e0a74881bf	Bump version for 2.8-beta2	2012-03-09 04:44:37 -08:00
@@ -1 +1 @@
 .7.99
 .7.100