From 04c2a696999b678670dfdd5f543f00a5500510ed Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Thu, 17 Dec 2015 23:47:08 +0100 Subject: [PATCH] Write unix rules when saving a profile r2637 added support for parsing unix rules, but forgot to add write support. The result was that a profile lost its unix rules when it was saved. This patch adds the write_unix_rules() and write_unix() functions (based on the write_pivot_root() and write_pivot_root_rules() functions) and makes sure they get called at the right place. The cleanprof testcase gets an unix rule added to ensure it's not deleted when writing the profile. (Note that minitools_test.py is not part of the default "make check", however I always run it.) References: https://bugs.launchpad.net/apparmor/+bug/1522938 https://bugzilla.opensuse.org/show_bug.cgi?id=954104 Acked-by: Tyler Hicks for trunk, 2.10 and 2.9. --- utils/apparmor/aa.py | 22 ++++++++++++++++++++++ utils/test/cleanprof_test.in | 2 ++ utils/test/cleanprof_test.out | 2 ++ 3 files changed, 26 insertions(+) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index be9e58202..e336f55d4 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -3368,6 +3368,24 @@ def write_pivot_root(prof_data, depth): data += write_pivot_root_rules(prof_data, depth, 'allow') return data +def write_unix_rules(prof_data, depth, allow): + pre = ' ' * depth + data = [] + + # no unix rules, so return + if not prof_data[allow].get('unix', False): + return data + + for unix_rule in prof_data[allow]['unix']: + data.append('%s%s' % (pre, unix_rule.serialize())) + data.append('') + return data + +def write_unix(prof_data, depth): + data = write_unix_rules(prof_data, depth, 'deny') + data += write_unix_rules(prof_data, depth, 'allow') + return data + def write_link_rules(prof_data, depth, allow): pre = ' ' * depth data = [] @@ -3479,6 +3497,7 @@ def write_rules(prof_data, depth): data += write_signal(prof_data, depth) data += write_ptrace(prof_data, depth) data += write_pivot_root(prof_data, depth) + data += write_unix(prof_data, depth) data += write_links(prof_data, depth) data += write_paths(prof_data, depth) data += write_change_profile(prof_data, depth) @@ -3635,6 +3654,7 @@ def serialize_profile_from_old_profile(profile_data, name, options): 'signal': write_signal, 'ptrace': write_ptrace, 'pivot_root': write_pivot_root, + 'unix': write_unix, 'link': write_links, 'path': write_paths, 'change_profile': write_change_profile, @@ -3650,6 +3670,7 @@ def serialize_profile_from_old_profile(profile_data, name, options): 'signal', 'ptrace', 'pivot_root', + 'unix', 'link', 'path', 'change_profile', @@ -3666,6 +3687,7 @@ def serialize_profile_from_old_profile(profile_data, name, options): 'signal': True, # not handled otherwise yet 'ptrace': True, # not handled otherwise yet 'pivot_root': True, # not handled otherwise yet + 'unix': True, # not handled otherwise yet 'link': False, 'path': False, 'change_profile': False, diff --git a/utils/test/cleanprof_test.in b/utils/test/cleanprof_test.in index 6fd88b6bb..8822b88f1 100644 --- a/utils/test/cleanprof_test.in +++ b/utils/test/cleanprof_test.in @@ -8,6 +8,8 @@ allow /usr/share/X11/locale/** r, allow /home/*/** r, + unix (receive) type=dgram, + ^foo { /etc/fstab r, capability dac_override, diff --git a/utils/test/cleanprof_test.out b/utils/test/cleanprof_test.out index 9238ab171..c20f6ff4d 100644 --- a/utils/test/cleanprof_test.out +++ b/utils/test/cleanprof_test.out @@ -6,6 +6,8 @@ /usr/bin/a/simple/cleanprof/test/profile { #include + unix (receive) type=dgram, + /home/*/** r, /home/foo/** w,