mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
372764355a
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.
However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.
This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.
Patch history:
v1: initial revision
v2: no code changes; adjust comments and improve the man page
documentation
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
|
||
|---|---|---|
| .. | ||
| mod_apparmor | ||
| pam_apparmor | ||
| tomcat_apparmor | ||