was addressed (however temporarily) in commit 2085.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Minimization was failing because it was too agressive. It was minimizing
as if there was only 1 accept condition. This allowed it to remove more
states but at the cost of loosing unique permission sets, they where
being combined into single commulative perms. This means that audit,
deny, xtrans, ... info on one path would be applied to all other paths
that it was combined with during minimization.
This means that we need to retain the unique accept states, not allowing
them to be combined into a single state. To do this we put each unique
permission set into its own partition at the start of minimization.
The states within a partition have the same permissions and can be combined
within the other states in the partition as the loss of unique path
information is will not result in a conflict.
This is similar to what perm hashing used to do but deny information is
still being correctly applied and carried.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The in x intersection consistency test for minimization was failing because
it was screening off the AA_MAY_EXEC permission before passing the exec
information to the consistency test fn. This resulted in the consistency
test fn not testing the consistency because it treated the permission set
as not having x permissions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
x Permissions when specified as a the start of the rule had a differnt
meaning than when they appeared at the tail of a rule.
Specifically px,cx,ux were not treated as unsafe when they appeared at
the start of the rule.
px /foo,
instead of at the tail of the rule
/foo px,
the keyword unsafe had to be used to force the rule to cause the x transitio
to be its unsafe variant.
Fix leading permissions so that they are consistent with file rules that
use trailing permissions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Several of the x-trans tests where failing because of the include file was
bad. This kept the test from testing what it was supposed as the test
was expected to fail. Thus hidding a bug :(
Signed-off-by: John Johansen <john.johansen@canonical.com>
