[apparmor] [PATCH 09/11] Fix permissions attached to the bare file keyword

Steve Beattie steve at nxnw.org
Thu Mar 8 19:07:49 UTC 2012 

On Wed, Mar 07, 2012 at 06:17:28AM -0800, John Johansen wrote:
>   file,
> 
> was not given the correct permissions.  It was only being given the owner
> set of permissions.  This would result in rejects when trying look at
> files owned by other users
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-By: Steve Beattie <sbeattie at ubuntu.com>

I was unaware of this syntactic sugar. Here are testcases that exercise
it, at least for read-write permissions, and at least trigger the issue
that your patch intends to address.

---
 tests/regression/apparmor/mkprofile.pl |    9 ++++++---
 tests/regression/apparmor/open.sh      |   12 ++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

Index: b/tests/regression/apparmor/mkprofile.pl
===================================================================
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -164,9 +164,10 @@ sub gen_file($) {
   my $rule = shift;
   my @rules = split (/:/, $rule);
   # default: file rules
-  if (@rules != 2) {
-    (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
-  } else {
+  if (@rules == 1) {
+      # support raw rules
+      push (@{$output_rules{$hat}}, "  $rules[0],\n");
+  } elsif (@rules == 2) {
     if ($escape) {
       $rules[0]=~ s/(["[\]{}\\\:\#])/\\$1/g;
       $rules[0]=~ s/(\#)/\\043/g;
@@ -176,6 +177,8 @@ sub gen_file($) {
     } else {
       push (@{$output_rules{$hat}}, "  $rules[0] $rules[1],\n");
     }
+  } else {
+    (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
   }
 }
 
Index: b/tests/regression/apparmor/open.sh
===================================================================
--- a/tests/regression/apparmor/open.sh
+++ b/tests/regression/apparmor/open.sh
@@ -54,3 +54,15 @@ runchecktest "OPEN R+dac_override" fail
 rm -f ${file}
 genprofile $file:$badperm2
 runchecktest "OPEN W (create)" fail $file
+
+# This is a test where using just a raw 'file,' rule allowing all file
+# access
+genprofile file
+runchecktest "OPEN 'file' RW" pass $file
+
+# this test is to make sure the raw 'file' rule allows access to things
+# that are not covered by the owner rule
+chown nobody $file
+chmod 666 $file
+genprofile file
+runchecktest "OPEN 'file' RW" pass $file

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120308/686f2949/attachment.pgp>

More information about the AppArmor mailing list