This (updated) patch to trunk adds support for Px and Ux (toggle
bprm_secure on exec) in the parser, As requested, lowercase p and u
corresponds to an unfiltered environmnet on exec, uppercase will filter
the environment. It applies after the 'm' patch.
As a side effect, I tried to reduce the use of hardcoded characters in
the debugging statements -- there are still a few warnings that have
hard coded letters in them; not sure I can fix them all.
This version issues a warning for every unsafe ux and issues a single
warning for the first 'R', 'W', 'X', 'L', and 'I' it encounters,
except when the "-q" or "--quiet" flag , "--remove" profile flag, or
"-N" report names flags are passed. Unfortunately, it made the logic
somewhat more convoluted. Wordsmithing improvements welcome.
This (updated) patch to trunk adds the m flag to the parser language. The
m flag explicitly does -not- conflict with px, ux, or ix.
It does not add exec mmap as implicit to inherited execs, as it was
asserted that the module should do this.
I have not fixed up the testcases to match.
* patch from SUSE autobuild team to not strip binaries
* convert rpm release for the parser and mod_apparmor packages to
correspond to the svn repository number.
- adds a distinct includes/ subdirectory, populated with a couple of
files that test profiles can include. We purposefully choose to use
a different directory structure than the shipped profile set so that
changes to it will not break our tests.
- modifies the existing test profiles to take advantage of the
includes/ directory.
- modifies tst/Makefile with pushd/popd to get around some pwd
limitations in the parser (that need to be fixed).
This patch prevents the parser from segv'ing if neither of the expected
default profile directories exist (/etc/subdomain.d, /etc/apparmor.d).
A profile passed on the command line or via stdin will still load, so
long as -I/path/to/includes is passed for any relevant includes files.
