[apparmor] [patch] fix aa-logprof rewrite of PUx modes.

Steve Beattie steve at nxnw.org
Tue Apr 24 16:02:59 UTC 2012 

Subject: fix aa-logprof rewrite of PUx modes.

When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.

This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.

Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/982619

---
 utils/Immunix/AppArmor.pm |   21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

Index: b/utils/Immunix/AppArmor.pm
===================================================================
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -4814,13 +4814,9 @@ sub sub_mode_to_str($) {
     $str .= "a" if ($mode & $AA_MAY_APPEND);
     $str .= "l" if ($mode & $AA_MAY_LINK);
     $str .= "k" if ($mode & $AA_MAY_LOCK);
-    if ($mode & $AA_EXEC_UNCONFINED) {
-	if ($mode & $AA_EXEC_UNSAFE) {
-	    $str .= "u";
-	} else {
-	    $str .= "U";
-	}
-    }
+
+    # modes P and C *must* come before I and U; otherwise syntactically
+    # invalid profiles result
     if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
 	if ($mode & $AA_EXEC_UNSAFE) {
 	    $str .= "p";
@@ -4835,7 +4831,18 @@ sub sub_mode_to_str($) {
 	    $str .= "C";
 	}
     }
+
+    # modes P and C *must* come before I and U; otherwise syntactically
+    # invalid profiles result
+    if ($mode & $AA_EXEC_UNCONFINED) {
+	if ($mode & $AA_EXEC_UNSAFE) {
+	    $str .= "u";
+	} else {
+	    $str .= "U";
+	}
+    }
     $str .= "i" if ($mode & $AA_EXEC_INHERIT);
+
     $str .= "x" if ($mode & $AA_MAY_EXEC);
 
     return $str;

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120424/d62f751f/attachment.pgp>

More information about the AppArmor mailing list