Preserve 'hat' keyword in ProfileStorage

... instead of always writing hats as '^hat'. When writing a profile, prepending '^' or 'hat' to a hat name moves from aa.py write_piece() to ProfileStorage.get_header(). Also extend cleanprof_test.* with 'hat bar {...}'.
2025-08-31 14:25:52 +00:00 · 2021-05-23 18:19:28 +02:00
parent 6f15bea74c
commit 97aece024a
5 changed files with 26 additions and 5 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -2096,9 +2096,6 @@ def write_piece(profile_data, depth, name, nhat, write_flags):
            if not profile_data[hat]['external']:
                data.append('')

-                if profile_data[hat]['is_hat']:
-                    only_hat = '^%s' % only_hat
-
                data += profile_data[hat].get_header(depth + 1, only_hat, True, write_flags)

                data += profile_data[hat].get_rules_clean(depth + 2)
--- a/utils/apparmor/profile_storage.py
+++ b/utils/apparmor/profile_storage.py
@@ -74,6 +74,7 @@ class ProfileStorage:
        data['initial_comment']  = ''
        data['profile_keyword']  = False  # currently only set by change_profile_flags()
        data['is_hat']           = False  # profile or hat?
+        data['hat_keyword']      = False  # True for 'hat foo', False for '^foo'

        data['allow'] = dict()
        data['deny'] = dict()
@@ -146,7 +147,12 @@ class ProfileStorage:
        if self.data['header_comment']:
            comment = ' %s' % self.data['header_comment']

-        if (not embedded_hat and not unquoted_name.startswith('/')) or (embedded_hat and not unquoted_name.startswith('^')) or self.data['attachment'] or self.data['profile_keyword']:
+        if self.data['is_hat']:
+            if self.data['hat_keyword']:
+                name = 'hat %s' % name
+            else:
+                name = '^%s' % name
+        elif (not embedded_hat and not unquoted_name.startswith('/')) or (embedded_hat and not unquoted_name.startswith('^')) or self.data['attachment'] or self.data['profile_keyword']:
            name = 'profile %s%s' % (name, attachment)

        xattrs = ''
@@ -237,7 +243,9 @@ class ProfileStorage:
        prof_storage['flags'] = matches['flags']
        prof_storage['is_hat'] = matches['is_hat']

-        if not matches['is_hat']:
+        if matches['is_hat']:
+            prof_storage['hat_keyword'] = matches['hat_keyword']
+        else:
            prof_storage['attachment'] = matches['attachment'] or ''
            prof_storage['xattrs'] = matches['xattrs']

--- a/utils/apparmor/regex.py
+++ b/utils/apparmor/regex.py
@@ -143,6 +143,10 @@ def parse_profile_start_line(line, filename):
    if result.get('hat'):
        result['is_hat'] = True
        result['profile'] = result['hat']
+        if result['hat_keyword'] == '^':
+            result['hat_keyword'] = False
+        else:
+            result['hat_keyword'] = True
        result['profile_keyword'] = True
    elif result['plainprofile']:
        result['profile'] = result['plainprofile']
--- a/utils/test/cleanprof_test.in
+++ b/utils/test/cleanprof_test.in
@@ -68,6 +68,11 @@ $foo = false

 	mount options=(rw,suid) /c -> /3,

+    hat bar {
+        /etc/passwd r,
+        capability sys_admin,
+        }
+
 	pivot_root oldroot=/mnt/root/old/,

 	deny    owner       link       /some/thing    ->     /foo/bar    ,
--- a/utils/test/cleanprof_test.out
+++ b/utils/test/cleanprof_test.out
@@ -46,6 +46,13 @@ $bar = true
  change_profile,


+  hat bar {
+    capability sys_admin,
+
+    /etc/passwd r,
+
+  }
+
  ^foo {
    capability dac_override,