The previous patch to fix policy compilation around the network flag had a

serious flaw. The test for the network flag was being applied against both the kernel flags and the cache flags. This means that if either the kernel or the cache did not have the flag set then network mediation would be turned off. Thus if a kernel was booted without the flag, and a cache was generated based on that kernel and then the system was rebooted into a kernel with the network flag present, the parser on generating the new policy would detect the old cache did not support network and turn it off for the new policy as well. This can be fixed by either removing the old cache first or regenerating the cache twice. As the first generation will write that networking is supported in the cache (even though the policy will have it disabled), and the second generation will generate the correct policy. The following patch moves the test so that it is only applied to the kernel flags set. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2012-07-17 16:00:53 -07:00 · 2012-07-17 16:00:53 -07:00 · 563a49adc4
commit 563a49adc4
parent 107b5113bd
1 changed files with 6 additions and 6 deletions
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@ -873,11 +873,6 @@ static void get_flags_string(char **flags, char *flags_file) {
 //fprintf(stderr, "flags string: %s\n", flags_string);
 //fprintf(stderr, "changehat %d\n", flag_changehat_version);
 	}
-	if (strstr(flags_string, "network"))
-		kernel_supports_network = 1;
-	else
-		kernel_supports_network = 0;
-
 	return;

 fail:
@ -1187,7 +1182,12 @@ static void setup_flags(void)
 		write_cache = 0;
 		skip_read_cache = 1;
 		return;
-	}
+	} else if (strstr(flags_string, "network"))
+		kernel_supports_network = 1;
+	else
+		kernel_supports_network = 0;
+
+

 	/*
         * Deal with cache directory versioning: