[https://bugzilla.novell.com/show_bug.cgi?id=172061]

This (updated) patch to trunk adds support for Px and Ux (toggle bprm_secure on exec) in the parser, As requested, lowercase p and u corresponds to an unfiltered environmnet on exec, uppercase will filter the environment. It applies after the 'm' patch. As a side effect, I tried to reduce the use of hardcoded characters in the debugging statements -- there are still a few warnings that have hard coded letters in them; not sure I can fix them all. This version issues a warning for every unsafe ux and issues a single warning for the first 'R', 'W', 'X', 'L', and 'I' it encounters, except when the "-q" or "--quiet" flag , "--remove" profile flag, or "-N" report names flags are passed. Unfortunately, it made the logic somewhat more convoluted. Wordsmithing improvements welcome.
2025-08-31 06:16:03 +00:00 · 2006-08-04 17:14:49 +00:00
parent cafbfe7cd3
commit 3cb147e25c
7 changed files with 132 additions and 38 deletions
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -22,6 +22,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <stdarg.h>
 #include <getopt.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -55,13 +56,16 @@ const char *parser_title	= "Novell/SUSE AppArmor parser";
 const char *parser_copyright	= "Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006 Novell Inc.";

 char *progname;
+int option = OPTION_ADD;
 int force_complain = 0;
 int names_only = 0;
 int dump_vars = 0;
 int dump_expanded_vars = 0;
+int conf_quiet = 0;
 char *subdomainbase = NULL;
 char *profilename;
 char *match_string = NULL;
+extern int current_lineno;

 struct option long_options[] = {
 	{"add", 		0, 0, 'a'},
@@ -81,6 +85,7 @@ struct option long_options[] = {
 	{"names",		0, 0, 'N'},	/* undocumented only emit profilenames */
 	{"stdout",		0, 0, 'S'},
 	{"match-string",	1, 0, 'm'},
+	{"quiet",		0, 0, 'q'},
 	{NULL, 0, 0, 0},
 };

@@ -110,16 +115,38 @@ static void display_usage(char *command)
 	       "-b n, --base n		Set base dir and cwd\n"
 	       "-f n, --subdomainfs n	Set location of apparmor filesystem\n"
 	       "-S, --stdout		Write output to stdout\n"
-	       "-m n, --match-string n  Use only match features n\n", command);
+	       "-m n, --match-string n  Use only match features n\n"
+	       "-q, --quiet		Don't emit warnings\n", command);
+}
+
+void pwarn(char *fmt, ...)
+{
+	va_list arg;
+	char *newfmt;
+	int rc;
+
+	if (conf_quiet || names_only || option == OPTION_REMOVE)
+		return;
+
+	rc = asprintf(&newfmt, "Warning (%s line %d): %s",
+		      profilename ? profilename : "stdin",
+		      current_lineno,
+		      fmt);
+	if (!newfmt)
+		return;
+
+	va_start(arg, fmt);
+	vfprintf(stderr, newfmt, arg);
+	va_end(arg);
 }

 static int process_args(int argc, char *argv[])
 {
 	int c, o;
-	int option = OPTION_ADD;
 	int count = 0;
+	option = OPTION_ADD;

-	while ((c = getopt_long(argc, argv, "adf:hrRvpI:b:CNSm:", long_options, &o)) != -1)
+	while ((c = getopt_long(argc, argv, "adf:hrRvpI:b:CNSm:q", long_options, &o)) != -1)
 	{
 		switch (c) {
 		case 0:
@@ -182,6 +209,9 @@ static int process_args(int argc, char *argv[])
 		case 'm':
 			match_string = strdup(optarg);
 			break;
+		case 'q':
+			conf_quiet = 1;
+			break;
 		default:
 			display_usage(progname);
 			exit(0);