I just noticed that if the parent profile is in complain mode and the
child profile is in enforce mode, it doesn't error out with permission
denied, but also does honor the enforcing profiles rules.
Eg:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <limits.h>
#include <stdarg.h>
#include <sys/apparmor.h>
int main(int argc, char *argv[]) {
char *profile_name = "foo";
int fd;
if (aa_change_profile(profile_name) != 0) {
perror("could not change profile");
exit(1);
}
if ((fd = open("/tmp/foo", O_CREAT|O_TRUNC, 0644)) == -1) {
printf("confined\n");
exit(0);
}
printf("unconfined\n");
close(fd);
exit(1);
}
$ cd /tmp
$ gcc -lapparmor ./foo.c
$ cat /etc/apparmor.d/tmp.a.out
#include <tunables/global>
/tmp/a.out flags=(complain) {
#include <abstractions/base>
/** rwmkl,
change_profile -> foo,
}
profile foo {
/** rwmkl,
audit deny /tmp/foo rw,
}
$ ./a.out
unconfined
[1]
$ ls -l /tmp/foo
-rw-r--r-- 1 jamie jamie 0 2009-08-05 16:56 /tmp/foo
Using the following profile:
$ cat /etc/apparmor.d/tmp.a.out
#include <tunables/global>
/tmp/a.out {
#include <abstractions/base>
/** rwmkl,
change_profile -> foo,
}
profile foo {
/** rwmkl,
audit deny /tmp/foo rw,
}
$ /tmp/a.out
could not change profile: Permission denied
[1]
--
[karmic] aa_change_profile() no longer works
https://bugs.launchpad.net/bugs/401931
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
