@jjohansen are the more restrictive file permissions intentional? I see quite a few apparmorfs permissions changes between xenial and upstream:
-static struct aa_fs_entry aa_fs_entry_apparmor[] = { - AA_FS_FILE_FOPS(".access", 0666, &aa_fs_access), - AA_FS_FILE_FOPS(".stacked", 0666, &aa_fs_stacked), - AA_FS_FILE_FOPS(".ns_stacked", 0666, &aa_fs_ns_stacked), - AA_FS_FILE_FOPS(".ns_level", 0666, &aa_fs_ns_level), - AA_FS_FILE_FOPS(".ns_name", 0666, &aa_fs_ns_name), - AA_FS_FILE_FOPS("profiles", 0444, &aa_fs_profiles_fops), - AA_FS_DIR("features", aa_fs_entry_features), +static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { + AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access), + AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), + AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), + AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), + AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), + AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops), + AA_SFS_DIR("features", aa_sfs_entry_features), { } };
@jjohansen are the more restrictive file permissions intentional? I see quite a few apparmorfs permissions changes between xenial and upstream:
-static struct aa_fs_entry aa_fs_entry_ apparmor[ ] = { FOPS(". access" , 0666, &aa_fs_access), FOPS(". stacked" , 0666, &aa_fs_stacked), FOPS(". ns_stacked" , 0666, &aa_fs_ns_stacked), FOPS(". ns_level" , 0666, &aa_fs_ns_level), FOPS(". ns_name" , 0666, &aa_fs_ns_name), FOPS("profiles" , 0444, &aa_fs_ profiles_ fops), "features" , aa_fs_entry_ features) , entry_apparmor[ ] = { FILE_FOPS( ".access" , 0640, &aa_sfs_access), FILE_FOPS( ".stacked" , 0444, &seq_ns_ stacked_ fops), FILE_FOPS( ".ns_stacked" , 0444, &seq_ns_ nsstacked_ fops), FILE_FOPS( ".ns_level" , 0666, &seq_ns_ level_fops) , FILE_FOPS( ".ns_name" , 0640, &seq_ns_name_fops), FILE_FOPS( "profiles" , 0440, &aa_sfs_ profiles_ fops), DIR("features" , aa_sfs_ entry_features) ,
- AA_FS_FILE_
- AA_FS_FILE_
- AA_FS_FILE_
- AA_FS_FILE_
- AA_FS_FILE_
- AA_FS_FILE_
- AA_FS_DIR(
+static struct aa_sfs_entry aa_sfs_
+ AA_SFS_
+ AA_SFS_
+ AA_SFS_
+ AA_SFS_
+ AA_SFS_
+ AA_SFS_
+ AA_SFS_
{ }
};