Kshitij and I worked on this today. After a very interesting[tm] hunt through the code, here's a proof-of-concept patch:
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-08-17 16:16:33 +0000
+++ utils/apparmor/aa.py 2014-08-17 20:51:09 +0000
@@ -1043,6 +1043,14 @@
if not regex_nullcomplain.search(p) and not regex_nullcomplain.search(h): profile = p hat = h
+ else:
+ if profile_changes[pid]:
+ print(profile_changes[pid])
+ if len(profile_changes[pid].split("//"))>1:
+ profile,hat=profile_changes[pid].split("//")
+ else:
+ profile=profile_changes[pid]
+ hat=profile
if not profile or not hat or not detail: continue
@@ -1097,6 +1106,7 @@
if do_execute: if profile_known_exec(aa[profile][hat], 'exec', exec_target):
+ profile_changes[pid] = '/home/cb/linuxtag/apparmor/scripts/hello///usr/bin/cat' continue
p = update_repo_profile(aa[profile][profile])
The first section of the patch is probably the final version already.
Needless to say that profile_changes[pid] = ... line should not be hardcoded ;-) - it needs to be filled based on the exec mode which we already have in the profile.
Kshitij and I worked on this today. After a very interesting[tm] hunt through the code, here's a proof-of-concept patch:
=== modified file 'utils/ apparmor/ aa.py' aa.py 2014-08-17 16:16:33 +0000 aa.py 2014-08-17 20:51:09 +0000 ain.search( p) and not regex_nullcompl ain.search( h):
profile = p
hat = h changes[ pid]: changes[ pid]) changes[ pid].split( "//"))> 1: hat=profile_ changes[ pid].split( "//") profile_ changes[ pid]
continue
--- utils/apparmor/
+++ utils/apparmor/
@@ -1043,6 +1043,14 @@
if not regex_nullcompl
+ else:
+ if profile_
+ print(profile_
+ if len(profile_
+ profile,
+ else:
+ profile=
+ hat=profile
if not profile or not hat or not detail:
@@ -1097,6 +1106,7 @@
if do_execute:
if profile_ known_exec( aa[profile] [hat], 'exec', exec_target): changes[ pid] = '/home/ cb/linuxtag/ apparmor/ scripts/ hello// /usr/bin/ cat'
continue
+ profile_
The first section of the patch is probably the final version already.
Needless to say that profile_ changes[ pid] = ... line should not be hardcoded ;-) - it needs to be filled based on the exec mode which we already have in the profile.