From: Jeff Mahoney Subject: apparmor-parser: Newer kernels don't require separate removal of hats References: bnc#588248 The version of AppArmor shipped with kernels later than that shipped with SLE11 GA automatically remove hats underneath profiles. Prior kernels didn't track a parent-child relationship between the profiles and required taht they be cleaned up separately. Signed-off-by: Jeff Mahoney --- parser.h | 3 +++ parser_interface.c | 12 ++++++++++-- parser_main.c | 13 ++++++++++++- 3 files changed, 25 insertions(+), 3 deletions(-) --- a/parser.h +++ b/parser.h @@ -170,6 +170,9 @@ struct var_string { #define FLAG_CHANGEHAT_1_5 3 extern int flag_changehat_version; +extern int flag_file_version_major; +extern int flag_file_version_minor; + #ifdef DEBUG #define PDEBUG(fmt, args...) printf("parser: " fmt, ## args) --- a/parser_interface.c +++ b/parser_interface.c @@ -764,6 +764,13 @@ int sd_serialize_top_profile(sd_serializ return sd_serialize_profile(p, profile, profile->parent ? 1 : 0); } +static int +hats_need_separate_removal(void) +{ + return flag_file_version_major < 3 || + flag_file_version_minor <= 0; +} + int sd_serialize_codomain(int option, struct codomain *cod) { int fd; @@ -878,8 +885,9 @@ int sd_serialize_codomain(int option, st close(fd); if (cod->hat_table && regex_type == AARE_DFA) { - if (load_flattened_hats(cod) != 0) - return 0; + if (option != OPTION_REMOVE || hats_need_separate_removal()) + if (load_flattened_hats(cod) != 0) + return 0; } --- a/parser_main.c +++ b/parser_main.c @@ -72,7 +72,8 @@ char *flags_string = NULL; int regex_type = AARE_DFA; char *profile_namespace = NULL; int flag_changehat_version = FLAG_CHANGEHAT_1_5; - +int flag_file_version_major = 3; +int flag_file_version_minor = 0; extern int current_lineno; @@ -418,6 +419,16 @@ static void get_flags_string(void) { //fprintf(stderr, "flags string: %s\n", flags_string); //fprintf(stderr, "changehat %d\n", flag_changehat_version); } + + pos = strstr(flags_string, "file="); + if (pos) { + if (sscanf(pos, "file=%d.%d%*s", &flag_file_version_major, + &flag_file_version_minor) != 2) { + flag_file_version_major = 3; + flag_file_version_minor = 0; + } + } + return; fail: