mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix screening of change_profile permission from file rule entries

Browse source 
While change_profile rules are always created separately from file
rules. The merge phase can result in change_profile rules merging
with file rules, resulting in the change_profile permission being
set when a file rule is created.

Make sure to screen off the change_profile permission, when creating
a file rule.

Note: the proper long term fix is to split file, link and change_profile
rules into their own classes.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
John Johansen 2015-06-12 15:25:10 -07:00
parent 6707489cdc
commit 899cea3396
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
parser/parser_regex.c
View file

@ -532,8 +532,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
if (entry->deny) { if (entry->deny) {
if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) && if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
!dfarules->add_rule(tbuf.c_str(), entry->deny, !dfarules->add_rule(tbuf.c_str(), entry->deny,
entry->mode & ~AA_LINK_BITS, entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
entry->audit & ~AA_LINK_BITS, dfaflags)) entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
dfaflags))
return FALSE; return FALSE;
} else if (entry->mode & ~AA_CHANGE_PROFILE) { } else if (entry->mode & ~AA_CHANGE_PROFILE) {
if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode, if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode,