From f7e6f795c30e18556138ca7dad6bb491e5db5274 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Fri, 25 Dec 2020 17:55:15 +0100 Subject: [PATCH] parse_profile_data(): Use BooleanRule ... and save rules at the right place (ProfileList) where they actually get written when writing the profile. This is also a bugfix - the previous code saved boolean variables at a wrong place, and they were silently lost when writing the profile. Extend cleanprof_test.{in,out} to ensure that this doesn't break again. Also remove boolean_bad_[2-4] from the test-parser-simple-tests.py exception_not_raised list because these test profiles now get correctly detected as invalid. --- utils/apparmor/aa.py | 14 +++++--------- utils/test/cleanprof_test.in | 4 ++++ utils/test/cleanprof_test.out | 3 +++ utils/test/test-parser-simple-tests.py | 3 --- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 4cbc46350..d2d8fb9ee 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -38,7 +38,7 @@ from apparmor.common import (AppArmorException, AppArmorBug, is_skippable_file, import apparmor.ui as aaui from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, - RE_PROFILE_BOOLEAN, RE_PROFILE_CONDITIONAL, + RE_PROFILE_CONDITIONAL, RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN, RE_PROFILE_CHANGE_HAT, RE_PROFILE_HAT_DEF, RE_PROFILE_MOUNT, @@ -54,6 +54,7 @@ import apparmor.rules as aarules from apparmor.rule.abi import AbiRule from apparmor.rule.alias import AliasRule +from apparmor.rule.boolean import BooleanRule from apparmor.rule.capability import CapabilityRule from apparmor.rule.change_profile import ChangeProfileRule from apparmor.rule.dbus import DbusRule @@ -1903,17 +1904,12 @@ def parse_profile_data(data, file, do_include): profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line)) - elif RE_PROFILE_BOOLEAN.search(line): - matches = RE_PROFILE_BOOLEAN.search(line).groups() - + elif BooleanRule.match(line): if profile and not do_include: raise AppArmorException(_('Syntax Error: Unexpected boolean definition found inside profile in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 }) - - bool_var = matches[0] - value = matches[1] - - profile_data[profile][hat]['lvar'][bool_var] = value + else: + active_profiles.add_boolean(file, BooleanRule.parse(line)) elif VariableRule.match(line): if profile and not do_include: diff --git a/utils/test/cleanprof_test.in b/utils/test/cleanprof_test.in index 85d1c62b7..b6792c20a 100644 --- a/utils/test/cleanprof_test.in +++ b/utils/test/cleanprof_test.in @@ -14,6 +14,10 @@ @{asdf} = foo "" +$foo = false + + $bar = true + /usr/bin/a/simple/cleanprof/test/profile { # Just for the heck of it, this comment won't see the day of light #include diff --git a/utils/test/cleanprof_test.out b/utils/test/cleanprof_test.out index dfe251e1f..dea332bc5 100644 --- a/utils/test/cleanprof_test.out +++ b/utils/test/cleanprof_test.out @@ -8,6 +8,9 @@ include if exists @{xy} = x y @{asdf} = "" foo +$foo = false +$bar = true + # A simple test comment which will persist diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 0b04a5d35..559d2ee6f 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -176,9 +176,6 @@ exception_not_raised = [ 'unix/bad_attr_5.sd', 'unix/bad_opt_5.sd', 'unix/bad_shutdown_3.sd', - 'vars/boolean/boolean_bad_2.sd', - 'vars/boolean/boolean_bad_3.sd', - 'vars/boolean/boolean_bad_4.sd', 'vars/vars_bad_3.sd', 'vars/vars_bad_4.sd', 'vars/vars_bad_5.sd',