mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
2d3c95ef09
This should solve the "overlapping rules with conflicting 'x' modifiers" problem (introduced with r3594) entirely. The other options I could think of were: * ix → Pix, adjust all profiles that do 'ix' accordingly, and leave alone those that do Pix already; downsides: requires updating quite a few profiles all around the place, and breaks a mere "file," rule; * ix → Pix, adjust all profiles that do 'ix' accordingly, and change the "file," rule semantics to imply Pix; downside: very intrusive, and likely to break random existing policy in ways that are hard to predict; * stick to ix, and adjust all profiles that do anything else with overlapping rules, to do ix instead; downside: in some cases this means removing the 'P' modifier, which can cause regressions in how we confine stuff. I've looked up in the bzr history to understand why execution rights would be needed, and… the answer predates the move to bzr. Looking into the SVN history, if it's even available anywhere, is a bit too much for me, so I've tested this change and the few applications I've tried did not complain. Of course, more testing will be needed. |
||
|---|---|---|
| .. | ||
| apparmor/profiles/extras | ||
| apparmor.d | ||
| Makefile | ||