[apparmor] [patch] fix aa-logprof rewrite of PUx modes.
Steve Beattie
steve at nxnw.org
Tue Apr 24 16:02:59 UTC 2012
Subject: fix aa-logprof rewrite of PUx modes.
When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.
This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/982619
---
utils/Immunix/AppArmor.pm | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
Index: b/utils/Immunix/AppArmor.pm
===================================================================
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -4814,13 +4814,9 @@ sub sub_mode_to_str($) {
$str .= "a" if ($mode & $AA_MAY_APPEND);
$str .= "l" if ($mode & $AA_MAY_LINK);
$str .= "k" if ($mode & $AA_MAY_LOCK);
- if ($mode & $AA_EXEC_UNCONFINED) {
- if ($mode & $AA_EXEC_UNSAFE) {
- $str .= "u";
- } else {
- $str .= "U";
- }
- }
+
+ # modes P and C *must* come before I and U; otherwise syntactically
+ # invalid profiles result
if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
if ($mode & $AA_EXEC_UNSAFE) {
$str .= "p";
@@ -4835,7 +4831,18 @@ sub sub_mode_to_str($) {
$str .= "C";
}
}
+
+ # modes P and C *must* come before I and U; otherwise syntactically
+ # invalid profiles result
+ if ($mode & $AA_EXEC_UNCONFINED) {
+ if ($mode & $AA_EXEC_UNSAFE) {
+ $str .= "u";
+ } else {
+ $str .= "U";
+ }
+ }
$str .= "i" if ($mode & $AA_EXEC_INHERIT);
+
$str .= "x" if ($mode & $AA_MAY_EXEC);
return $str;
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120424/d62f751f/attachment.pgp>
More information about the AppArmor
mailing list