parser: fix compilation failure of deny link rules

BugLink: http://bugs.launchpad.net/bugs/1433829 The apparmor_parser fails to compile deny rules with only link permissions. Eg. deny /f l, deny l /f, deny link /f -> /d, Will all fail to compile with the following assert apparmor_parser: aare_rules.cc:99: Node* convert_file_perms(int, uint32_t, uint32_t, bool): Assertion `perms != 0' failed. NOTE: this is a minimal patch a bigger patch that cleans-up and separates and reorganizes file, link, exec, and change_profile rules is needed Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2025-08-31 14:25:52 +00:00 · 2015-03-23 11:25:48 -07:00
parent 727f3948ec
commit 80285dfafb
3 changed files with 25 additions and 2 deletions
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -522,9 +522,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	 * out by a deny rule, as both pieces of the link pair must
 	 * match.  audit info for the link is carried on the second
 	 * entry of the pair
+	 *
+	 * So if a deny rule only record it if there are permissions other
+	 * than link in the entry.
+	 * TODO: split link and change_profile entries earlier
 	 */
-	if (entry->deny && (entry->mode & AA_LINK_BITS)) {
-		if (!dfarules->add_rule(tbuf.c_str(), entry->deny,
+	if (entry->deny) {
+		if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
+		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
 					entry->mode & ~AA_LINK_BITS,
 					entry->audit & ~AA_LINK_BITS, dfaflags))
 			return FALSE;