[apparmor] [patch 4/9] profiles - fix apparmor_api abstractions

Seth Arnold seth.arnold at canonical.com
Tue Dec 18 18:13:08 UTC 2012 

On Tue, Dec 18, 2012 at 06:17:59AM -0800, Steve Beattie wrote:
> The apparmor_api abstractions make the mistake of including tunables
> directly, which is a no-no since the variable definitions in tunables
> need to occur in the preamble of a profile, not embedded within it.
> This patch removes those includes, and replaces them documentation of
> tunables are necessary, as some of the expected ones are not part of
> tunables/global.
> 
> It also adjust the kernelvars tunable's definition of the @{pid}
> regex, as the current parser does not support nesting of {} groupings,
> which breaks any profile that attempts to use the tunable.

There's an extraneous comment left in, "just use a pattern [0-9]{1,6}".
That line might as well be deleted, you've got the better pattern
immediately afterwards. But with or without that line deleted..

Acked-By: Seth Arnold <seth.arnold at canonical.com>


> ---
>  profiles/apparmor.d/abstractions/apparmor_api/examine         |    4 ++--
>  profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint |    5 +++--
>  profiles/apparmor.d/abstractions/apparmor_api/introspect      |    4 ++--
>  profiles/apparmor.d/abstractions/apparmor_api/is_enabled      |    4 ++--
>  profiles/apparmor.d/tunables/kernelvars                       |    5 ++++-
>  5 files changed, 13 insertions(+), 9 deletions(-)
> 
> Index: b/profiles/apparmor.d/abstractions/apparmor_api/examine
> ===================================================================
> --- a/profiles/apparmor.d/abstractions/apparmor_api/examine
> +++ b/profiles/apparmor.d/abstractions/apparmor_api/examine
> @@ -6,7 +6,7 @@
>  #
>  # ------------------------------------------------------------------
>  
> -#include <tunables/proc>
> -#include <tunables/kernelvars>
> +# Make sure to include at least tunables/proc and tunables/kernelvars
> +# when using this abstraction, if not tunables/global.
>  
>  @{PROC}/@{pids}/attr/{current,prev,exec} r,
> Index: b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
> ===================================================================
> --- a/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
> +++ b/profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
> @@ -8,6 +8,7 @@
>  
>  #permissions needed for aa_find_mountpoint
>  
> -#include <tunables/proc>
> +# Make sure to include at least tunables/proc and tunables/kernelvars
> +# when using this abstraction, if not tunables/global.
>  
> -@{proc}/*/mounts r,
> +@{PROC}/@{pids}/mounts r,
> Index: b/profiles/apparmor.d/abstractions/apparmor_api/introspect
> ===================================================================
> --- a/profiles/apparmor.d/abstractions/apparmor_api/introspect
> +++ b/profiles/apparmor.d/abstractions/apparmor_api/introspect
> @@ -6,7 +6,7 @@
>  #
>  # ------------------------------------------------------------------
>  
> -#include <tunables/proc>
> -#include <tunables/kernelvars>
> +# Make sure to include at least tunables/proc and tunables/kernelvars
> +# when using this abstraction, if not tunables/global.
>  
>  @{PROC}/@{tid}/attr/{current,prev,exec} r,
> Index: b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
> ===================================================================
> --- a/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
> +++ b/profiles/apparmor.d/abstractions/apparmor_api/is_enabled
> @@ -8,8 +8,8 @@
>  
>  # permissions needed for aa_is_enabled
>  
> -#include <tunables/sys>
> -#include <tunables/apparmorfs>
> +# Make sure to include at least tunables/sys and tunables/apparmorfs
> +# when using this abstraction, if not tunables/global.
>  
>  #include <abstractions/apparmor_api/find_mountpoint>
>  @{sys}/module/apparmor/parameters/enabled r,
> Index: b/profiles/apparmor.d/tunables/kernelvars
> ===================================================================
> --- a/profiles/apparmor.d/tunables/kernelvars
> +++ b/profiles/apparmor.d/tunables/kernelvars
> @@ -10,7 +10,10 @@
>  # that will become kernel vars at some point
>  
>  # until kernel vars are implemented just use a pattern [0-9]{1,6}
> -@{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
> +# and until the parser supports nested groupings like
> +#   @{pid}=[1-9]{[0-9]{[0-9]{[0-9]{[0-9]{[0-9],},},},},}
> +# use
> +@{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
>  
>  #same pattern as @{pid} for now
>  @{tid}=@{pid}
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121218/5e727105/attachment.pgp>

More information about the AppArmor mailing list