mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-04 08:15:21 +00:00
Code Issues Releases Wiki Activity

From: Jeff Mahoney <jeffm@suse.com>

Browse Source 
Subject: perl-apparmor: Properly handle bare 'file' keyword
References: bnc#889652

The bare file keyword is a shortcut for /{**,}. There are also implied
permissions that go with it.

This patch accepts the file keyword as well as allowing for missing mode
specifiers.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>

Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz
2014-08-02 12:46:15 +02:00
parent c7f7b8d7e0
commit 265270b83c
1 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
deprecated/utils/Immunix/AppArmor.pm
View File

@@ -5251,7 +5251,7 @@ sub parse_profile_data($$$) {
} elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean
} elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined
} elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined
} elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry
if (not $profile) { if (not $profile) {
die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
} }
@@ -5259,7 +5259,19 @@ sub parse_profile_data($$$) {
my $audit = $1 ? 1 : 0; my $audit = $1 ? 1 : 0;
my $allow = $2 ? 'deny' : 'allow'; my $allow = $2 ? 'deny' : 'allow';
my $user = $3 ? 1 : 0; my $user = $3 ? 1 : 0;
my ($path, $mode, $nt_name) = ($4, $5, $7); my ($path, $mode, $nt_name) = ($5, $6, $8);
my $file_keyword = 0;
my $use_mode = 1;
if ($4 eq "file") {
$path = "/{**,}";
$file_keyword = 1;
if (!$mode) {
# what the parser uses, but we don't care
$mode = "rwixlka";
$use_mode = 0;
}
}
# strip off any trailing spaces. # strip off any trailing spaces.
$path =~ s/\s+$//; $path =~ s/\s+$//;
@@ -5280,6 +5292,9 @@ sub parse_profile_data($$$) {
fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode)); fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode));
} }
$profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode;
$profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword;
my $tmpmode; my $tmpmode;
if ($user) { if ($user) {
$tmpmode = str_to_mode("${mode}::"); $tmpmode = str_to_mode("${mode}::");
@@ -5845,7 +5860,13 @@ sub writepath_rules ($$$) {
} }
$tmpmode &= ~$tmpaudit; $tmpmode &= ~$tmpaudit;
} }
if ($tmpmode) { my $kw = $profile_data->{$allow}{path}{$path}{file_keyword};
my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode};
if ($kw) {
my $modestr = "";
$modestr = " " . mode_to_str($tmpmode) if $use_mode;
push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},";
} elsif ($tmpmode) {
my $modestr = mode_to_str($tmpmode); my $modestr = mode_to_str($tmpmode);
if ($path =~ /\s/) { if ($path =~ /\s/) {
push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},"; push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";