[apparmor] [patch] fix aa-logprof rewrite of PUx modes.

John Johansen john.johansen at canonical.com
Tue Apr 24 16:38:12 UTC 2012 

On 04/24/2012 09:02 AM, Steve Beattie wrote:
> Subject: fix aa-logprof rewrite of PUx modes.
> 
> When writing out a profile, aa-logprof incorrectly converts PUx execute
> permission modes to the syntactically invalid UPx mode, because the
> function that converts the internal representation of permissions to
> a string emits the U(nconfined) mode bit before the P bit.
> 
> This patch corrects this by reordering the way the exec permissions
> are emitted, so that P and C modes come before U and i. Based on
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
> this should emit the modes correctly in all combined exec modes.
> Other approaches to fixing this would require adjusting the data
> structure that contains the permission modes, resulting in a more
> invasive patch.
> 
> Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/982619
> 
it looks good

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  utils/Immunix/AppArmor.pm |   21 ++++++++++++++-------
>  1 file changed, 14 insertions(+), 7 deletions(-)
> 
> Index: b/utils/Immunix/AppArmor.pm
> ===================================================================
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -4814,13 +4814,9 @@ sub sub_mode_to_str($) {
>      $str .= "a" if ($mode & $AA_MAY_APPEND);
>      $str .= "l" if ($mode & $AA_MAY_LINK);
>      $str .= "k" if ($mode & $AA_MAY_LOCK);
> -    if ($mode & $AA_EXEC_UNCONFINED) {
> -	if ($mode & $AA_EXEC_UNSAFE) {
> -	    $str .= "u";
> -	} else {
> -	    $str .= "U";
> -	}
> -    }
> +
> +    # modes P and C *must* come before I and U; otherwise syntactically
> +    # invalid profiles result
>      if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
>  	if ($mode & $AA_EXEC_UNSAFE) {
>  	    $str .= "p";
> @@ -4835,7 +4831,18 @@ sub sub_mode_to_str($) {
>  	    $str .= "C";
>  	}
>      }
> +
> +    # modes P and C *must* come before I and U; otherwise syntactically
> +    # invalid profiles result
> +    if ($mode & $AA_EXEC_UNCONFINED) {
> +	if ($mode & $AA_EXEC_UNSAFE) {
> +	    $str .= "u";
> +	} else {
> +	    $str .= "U";
> +	}
> +    }
>      $str .= "i" if ($mode & $AA_EXEC_INHERIT);
> +
>      $str .= "x" if ($mode & $AA_MAY_EXEC);
>  
>      return $str;
> 
> 
> 
>

More information about the AppArmor mailing list