[apparmor] [PATCH 09/11] Fix permissions attached to the bare file keyword
John Johansen
john.johansen at canonical.com
Thu Mar 8 19:11:44 UTC 2012
On 03/08/2012 11:07 AM, Steve Beattie wrote:
> On Wed, Mar 07, 2012 at 06:17:28AM -0800, John Johansen wrote:
>> file,
>>
>> was not given the correct permissions. It was only being given the owner
>> set of permissions. This would result in rejects when trying look at
>> files owned by other users
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> Acked-By: Steve Beattie <sbeattie at ubuntu.com>
>
> I was unaware of this syntactic sugar. Here are testcases that exercise
> it, at least for read-write permissions, and at least trigger the issue
> that your patch intends to address.
>
Oh nice thanks, and if its even needed the test gets a
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> tests/regression/apparmor/mkprofile.pl | 9 ++++++---
> tests/regression/apparmor/open.sh | 12 ++++++++++++
> 2 files changed, 18 insertions(+), 3 deletions(-)
>
> Index: b/tests/regression/apparmor/mkprofile.pl
> ===================================================================
> --- a/tests/regression/apparmor/mkprofile.pl
> +++ b/tests/regression/apparmor/mkprofile.pl
> @@ -164,9 +164,10 @@ sub gen_file($) {
> my $rule = shift;
> my @rules = split (/:/, $rule);
> # default: file rules
> - if (@rules != 2) {
> - (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
> - } else {
> + if (@rules == 1) {
> + # support raw rules
> + push (@{$output_rules{$hat}}, " $rules[0],\n");
> + } elsif (@rules == 2) {
> if ($escape) {
> $rules[0]=~ s/(["[\]{}\\\:\#])/\\$1/g;
> $rules[0]=~ s/(\#)/\\043/g;
> @@ -176,6 +177,8 @@ sub gen_file($) {
> } else {
> push (@{$output_rules{$hat}}, " $rules[0] $rules[1],\n");
> }
> + } else {
> + (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
> }
> }
>
> Index: b/tests/regression/apparmor/open.sh
> ===================================================================
> --- a/tests/regression/apparmor/open.sh
> +++ b/tests/regression/apparmor/open.sh
> @@ -54,3 +54,15 @@ runchecktest "OPEN R+dac_override" fail
> rm -f ${file}
> genprofile $file:$badperm2
> runchecktest "OPEN W (create)" fail $file
> +
> +# This is a test where using just a raw 'file,' rule allowing all file
> +# access
> +genprofile file
> +runchecktest "OPEN 'file' RW" pass $file
> +
> +# this test is to make sure the raw 'file' rule allows access to things
> +# that are not covered by the owner rule
> +chown nobody $file
> +chmod 666 $file
> +genprofile file
> +runchecktest "OPEN 'file' RW" pass $file
>
>
>
>
More information about the AppArmor
mailing list