when auditd logs get rotated)
- use getgrnam() with setgid when dropping to nobody_group
- add '-u USER' option to drop to this user when running priviliged but
not under sudo. Useful for starting when logged in as root.
- add a read access check before get_logfile_inode() so we don't have to
wait for the timeout in get_logfile_inode()
- set euid only when dropping privileges, instead of using POSIX::setuid()
which sets uid, euid and saved id when starting privileged
- create send_message() function which fork/execs so that we can set the
real uid before calling notify-send (notify-send looks at the real uid
when trying to connect to dbus)
- adjust reopen_logfile() to raise privileges (via euid) before accessing
logfile when $< != $>. Drop them again after open().
- also check for inode change
- update size to use stat
- treat logfile_size like logfile_inode
- update logfile_size and logfile_inode in reopen_logfile()
- add -f option to optionally specify the logfile
- when polling, check to see if the logfile size decreased, and if so, reopen
it. Currently this only works if you can read the file after dropping
privileges
tests. I don't like the solution because it exposes a data structure
definition outside of the only file that should know it's layout.
Also, fixed the Makefile to fail the build when one of the unit test
programs fails. :-(
killall-ing a few things in order to make it stop. And alas, it does seem
to eventually cause kernel hangs with 2.6.32-16. (Committing now before ext4
eats my changes and brain.)
Instead of updating the profile name, allow a profile to have multiple
alternate names. Aliases are now added as alternate names and matched
through the xmatch dfa.
Alias was broken because it when an alias was made the old path was completely
removed and there was no way to specify it. Update it so aliases just add
an new duplicate rule instead.
These replacement routines allow an application to avoid the probing
behavior of earlier version of change_hat. Allowing them to be faster
and have better learning characteristics.
xfail instead of known_{pass,fail}, also have it only reports unexpected
results, error for when result != what it should, and Alert for when it
result is what is should be but is a known problem and hence expected
to report something else.
Also update the regression tests for known problems under AppArmor 2.5,
this does not fix all known problems, (ie hats being removed differently
and hence resulting in unable to load profile errors, and the mknod
problem on alternate runs of the test suite, nor xattrs tests not ensuring
that the fs supports xattrs).
