mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: Fix automatic adding of rule for change_hat interface

Browse source 
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.

Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
This commit is contained in:
John Johansen 2020-09-17 04:38:56 -07:00
parent d6f332ab03
commit 5b850c154f
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
parser/parser_policy.c
View file

@ -204,9 +204,8 @@ static int profile_add_hat_rules(Profile *prof)
{
struct cod_entry *entry;
/* TODO: ??? fix logic for when to add to hat/base vs. local */
/* don't add hat rules for local_profiles or base profiles */
if (prof->local || prof->hat_table.empty())
/* don't add hat rules if not hat or profile doesn't have hats */
if (!prof->flags.hat || !prof->hat_table.empty())
return 0;
/* add entry to hat */