From b0b2bde16013d6efea7b18516ce99d110e407752 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 9 Mar 2012 04:23:25 -0800
Subject: [PATCH] Fix permissions attached to the bare file keyword

  file,

was not given the correct permissions.  It was only being given the owner
set of permissions.  This would result in rejects when trying look at
files owned by other users

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
---
 parser/parser_yacc.y                   |  8 +++++---
 tests/regression/apparmor/mkprofile.pl |  9 ++++++---
 tests/regression/apparmor/open.sh      | 12 ++++++++++++
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 0442016e8..86bf293a2 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -964,11 +964,13 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 file_rule: TOK_FILE TOK_END_OF_RULE
 	{
 		char *path = strdup("/**");
+		int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
+			     (AA_EXEC_INHERIT | AA_MAY_EXEC));
+		/* duplicate to other permission set */
+		perms |= perms << AA_OTHER_SHIFT;
 		if (!path)
 			yyerror(_("Memory allocation error."));
-		$$ = do_file_rule(NULL, path, ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
-					       (AA_EXEC_INHERIT | AA_MAY_EXEC)),
-				  NULL, NULL);
+		$$ = do_file_rule(NULL, path, perms, NULL, NULL);
 	}
 	| opt_file file_rule_tail { $$ = $2; }
 
diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl
index 9d7e8b5b6..f21b7d06e 100755
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -164,9 +164,10 @@ sub gen_file($) {
   my $rule = shift;
   my @rules = split (/:/, $rule);
   # default: file rules
-  if (@rules != 2) {
-    (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
-  } else {
+  if (@rules == 1) {
+      # support raw rules
+      push (@{$output_rules{$hat}}, "  $rules[0],\n");
+  } elsif (@rules == 2) {
     if ($escape) {
       $rules[0]=~ s/(["[\]{}\\\:\#])/\\$1/g;
       $rules[0]=~ s/(\#)/\\043/g;
@@ -176,6 +177,8 @@ sub gen_file($) {
     } else {
       push (@{$output_rules{$hat}}, "  $rules[0] $rules[1],\n");
     }
+  } else {
+    (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
   }
 }
 
diff --git a/tests/regression/apparmor/open.sh b/tests/regression/apparmor/open.sh
index c4c9dccb1..0c8b0c2a6 100755
--- a/tests/regression/apparmor/open.sh
+++ b/tests/regression/apparmor/open.sh
@@ -54,3 +54,15 @@ runchecktest "OPEN R+dac_override" fail $file
 rm -f ${file}
 genprofile $file:$badperm2
 runchecktest "OPEN W (create)" fail $file
+
+# This is a test where using just a raw 'file,' rule allowing all file
+# access
+genprofile file
+runchecktest "OPEN 'file' RW" pass $file
+
+# this test is to make sure the raw 'file' rule allows access to things
+# that are not covered by the owner rule
+chown nobody $file
+chmod 666 $file
+genprofile file
+runchecktest "OPEN 'file' RW" pass $file