There were two bugs. First, trying to access /proc/self/attr/exec
with O_CREAT | O_EXCL has no chance of working. Second, it turns
out that the correct command to send is "exec", not "changeprofile".
Of course, there was no way to know this until:
commit 3eea57c26e49a5add4c053a031cc2a1977b7c48e
Author: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Wed Feb 27 03:44:40 2013 -0800
apparmor: fix setprocattr arg processing for onexec
Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
---
I obviously never tested this particular flag very well. I take solace
in the fact that all of my development machines use selinux, not apparmor.
sys-utils/setpriv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c
index a17f925..7bea626 100644
--- a/sys-utils/setpriv.c
+++ b/sys-utils/setpriv.c
@@ -538,12 +538,12 @@ static void do_apparmor_profile(const char *label)
if (access(_PATH_SYS_APPARMOR, F_OK) != 0)
errx(SETPRIV_EXIT_PRIVERR, _("AppArmor is not running"));
- f = fopen(_PATH_PROC_ATTR_EXEC, "wx");
+ f = fopen(_PATH_PROC_ATTR_EXEC, "r+");
if (!f)
err(SETPRIV_EXIT_PRIVERR,
_("cannot open %s"), _PATH_PROC_ATTR_EXEC);
- fprintf(f, "changeprofile %s", label);
+ fprintf(f, "exec %s", label);
if (close_stream(f) != 0)
err(SETPRIV_EXIT_PRIVERR,
--
1.8.5.3
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
