mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 14:25:52 +00:00
Preserve 'hat' keyword in ProfileStorage
... instead of always writing hats as '^hat'. When writing a profile, prepending '^' or 'hat' to a hat name moves from aa.py write_piece() to ProfileStorage.get_header(). Also extend cleanprof_test.* with 'hat bar {...}'.
This commit is contained in:
@@ -2096,9 +2096,6 @@ def write_piece(profile_data, depth, name, nhat, write_flags):
|
||||
if not profile_data[hat]['external']:
|
||||
data.append('')
|
||||
|
||||
if profile_data[hat]['is_hat']:
|
||||
only_hat = '^%s' % only_hat
|
||||
|
||||
data += profile_data[hat].get_header(depth + 1, only_hat, True, write_flags)
|
||||
|
||||
data += profile_data[hat].get_rules_clean(depth + 2)
|
||||
|
@@ -74,6 +74,7 @@ class ProfileStorage:
|
||||
data['initial_comment'] = ''
|
||||
data['profile_keyword'] = False # currently only set by change_profile_flags()
|
||||
data['is_hat'] = False # profile or hat?
|
||||
data['hat_keyword'] = False # True for 'hat foo', False for '^foo'
|
||||
|
||||
data['allow'] = dict()
|
||||
data['deny'] = dict()
|
||||
@@ -146,7 +147,12 @@ class ProfileStorage:
|
||||
if self.data['header_comment']:
|
||||
comment = ' %s' % self.data['header_comment']
|
||||
|
||||
if (not embedded_hat and not unquoted_name.startswith('/')) or (embedded_hat and not unquoted_name.startswith('^')) or self.data['attachment'] or self.data['profile_keyword']:
|
||||
if self.data['is_hat']:
|
||||
if self.data['hat_keyword']:
|
||||
name = 'hat %s' % name
|
||||
else:
|
||||
name = '^%s' % name
|
||||
elif (not embedded_hat and not unquoted_name.startswith('/')) or (embedded_hat and not unquoted_name.startswith('^')) or self.data['attachment'] or self.data['profile_keyword']:
|
||||
name = 'profile %s%s' % (name, attachment)
|
||||
|
||||
xattrs = ''
|
||||
@@ -237,7 +243,9 @@ class ProfileStorage:
|
||||
prof_storage['flags'] = matches['flags']
|
||||
prof_storage['is_hat'] = matches['is_hat']
|
||||
|
||||
if not matches['is_hat']:
|
||||
if matches['is_hat']:
|
||||
prof_storage['hat_keyword'] = matches['hat_keyword']
|
||||
else:
|
||||
prof_storage['attachment'] = matches['attachment'] or ''
|
||||
prof_storage['xattrs'] = matches['xattrs']
|
||||
|
||||
|
@@ -143,6 +143,10 @@ def parse_profile_start_line(line, filename):
|
||||
if result.get('hat'):
|
||||
result['is_hat'] = True
|
||||
result['profile'] = result['hat']
|
||||
if result['hat_keyword'] == '^':
|
||||
result['hat_keyword'] = False
|
||||
else:
|
||||
result['hat_keyword'] = True
|
||||
result['profile_keyword'] = True
|
||||
elif result['plainprofile']:
|
||||
result['profile'] = result['plainprofile']
|
||||
|
@@ -68,6 +68,11 @@ $foo = false
|
||||
|
||||
mount options=(rw,suid) /c -> /3,
|
||||
|
||||
hat bar {
|
||||
/etc/passwd r,
|
||||
capability sys_admin,
|
||||
}
|
||||
|
||||
pivot_root oldroot=/mnt/root/old/,
|
||||
|
||||
deny owner link /some/thing -> /foo/bar ,
|
||||
|
@@ -46,6 +46,13 @@ $bar = true
|
||||
change_profile,
|
||||
|
||||
|
||||
hat bar {
|
||||
capability sys_admin,
|
||||
|
||||
/etc/passwd r,
|
||||
|
||||
}
|
||||
|
||||
^foo {
|
||||
capability dac_override,
|
||||
|
||||
|
Reference in New Issue
Block a user