From 01b7969eee4edf236fdf9682cc8d8e1040bfbd7e Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Tue, 15 Feb 2011 16:24:33 -0800 Subject: [PATCH] From: Jeff Mahoney Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles References: bnc#496204 When creating profiles with cx subprofiles, genprof will set the sub-profile in enforce mode. When genprof cycles multiple times, it prohibits the sub-profile from working correctly. e.g. # Last Modified: Mon Jan 24 13:52:26 2011 #include /home/jeffm/mycat flags=(complain) { #include #include #include /bin/bash ix, /bin/cat cx, /home/jeffm/mycat r, profile /bin/cat { #include /bin/cat r, /home/jeffm/mycat r, } } This patch allows sub-profiles to inherit the flags from the parent profile, which allows it to be created in complain mode (if appropriate). The temporary complain flags are cleaned up at genprof completion as expected. This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204 Signed-off-by: Jeff Mahoney Acked-By: Steve Beattie Bug: https://launchpad.net/bugs/707092 --- utils/SubDomain.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/utils/SubDomain.pm b/utils/SubDomain.pm index ff5f0bf6b..e109bb846 100755 --- a/utils/SubDomain.pm +++ b/utils/SubDomain.pm @@ -2388,6 +2388,12 @@ sub handlechildren { # we have seen more than a declaration so clear it $sd{$profile}{$hat}{'declared'} = 0; $sd{$profile}{$hat}{profile} = 1; + + # Otherwise sub-profiles end up getting + # put in enforce mode with genprof + $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat; + + $sd{$profile}{$hat}{flags} = 'complain'; $sd{$profile}{$hat}{allow}{path} = { }; $sd{$profile}{$hat}{allow}{netdomain} = { }; my $file = $sd{$profile}{$profile}{filename};