likely need more once more ibus users start to use it. Additionally,
the 'rw' on the @{HOME}/.config/ibus/bus/ probably only needs 'create'
and 'chmod', so that could be tightened up once those are exposed in
the tools. LP: #649497.
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- use character globbing
- require owner match for files in @{HOME}
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- fix typo for Desktop (should be Desktop/)
- require owner match
- allow writes to @{HOME}/[dD]ownload{,s}
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
* add Canonical to the headers of the pod files touched
* use aa_change_hat() instead of change_hat() (LP: #692216)
* use http://wiki.apparmor.net in the SEE ALSO
* use http://https://bugs.launchpad.net/apparmor/+filebug for bugs
* prefix 'aa-' in SEE ALSO section for utilities (eg, 'aa-complain'
for 'complain')
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
changehat/mod_apparmor/mod_apparmor.pod: make several clarifications
and add a summary for the order of operations
Nominated-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Fix use after free in regexp parser
There are two cases of use-after-free in the simply_tree_base code. It
worked in the past because there aren't any allocations between the
free and the use, so it was still around.
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
while parsing certain profiles.
This patch addresses it by saving a pointer to the node to free after
the node is advanced.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition. This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.
The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions. The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.
This would result in the first rule being processed defining what the
transition type was for all following rules of the type following. So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add auto generation of xtransition conflict tests
All the combiniation of xtransition conflics where not well represented in
the regression test suite. Instead of relying on multiple static test
files, automatically generate all possible conflicts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
documentation for the expected outcome and add additional positive test.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Jamie Strandboge <jamie@canonical.com>
that don't want full docs can pick targets they want. Comment out
debug dump of generate af_names.h.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com>
rename_dest, and mkdir operations into account, as well as add
logparsing library testcases for those operations.
Bug: https://bugs.launchpad.net/apparmor/+bug/623467
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
that links to the patches will be posted to the wiki and the mailing
list.
Nominated-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com> (on irc)
the beginning of the script and add an additional sleep before the
parser invocation that generates the cache file for the first time.
Submitted-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Kees Cook <kees@ubuntu.com>
done to fix the bug where abstraction updates do not cause the cache
file to become invalid.
Nominated-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
operation so that the caching tests can be added to the build. Update
caching tests to detect non-ns-resolution filesystems and back off
on the timing test.
Nominated-by: Kees Cook <kees.cook@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
