[apparmor] [PATCH 2/4] Fix pivot_root to support named transitions correctly
John Johansen
john.johansen at canonical.com
Thu Mar 15 16:36:26 UTC 2012
Rename the pivotroot rule to pivot_root to match the command and the fn
and fix it to support named transition correctly leveraging the parsing
action used for exec transitions.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_misc.c | 2 +-
parser/parser_yacc.y | 35 +++++++++-----
parser/tst/simple_tests/mount/pivot_ok1.sd | 75 ++++++++++++++++++++++++++++
3 files changed, 99 insertions(+), 13 deletions(-)
create mode 100644 parser/tst/simple_tests/mount/pivot_ok1.sd
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index ab79855..7ff6348 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -83,7 +83,7 @@ static struct keyword_table keyword_table[] = {
{"remount", TOK_REMOUNT},
{"umount", TOK_UMOUNT},
{"unmount", TOK_UMOUNT},
- {"pivotroot", TOK_PIVOTROOT},
+ {"pivot_root", TOK_PIVOTROOT},
/* terminate */
{NULL, 0}
};
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 86bf293..ff8975f 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -1116,14 +1116,23 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
$$ = do_mnt_rule($2, NULL, NULL, $3, AA_MAY_UMOUNT);
}
-mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_END_OF_RULE
- {
- $$ = do_pivot_rule($2, $3, NULL);
- }
+mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
+ {
+ char *name = NULL;
+ if ($4.present && $4.namespace) {
+ name = malloc(strlen($4.namespace) +
+ strlen($4.name) + 3);
+ if (!name) {
+ PERROR("Memory allocation error\n");
+ exit(1);
+ }
+ sprintf(name, ":%s:%s", $4.namespace, $4.name);
+ free($4.namespace);
+ free($4.name);
+ } else if ($4.present)
+ name = $4.name;
-mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE
- {
- $$ = do_pivot_rule($2, $3, $5);
+ $$ = do_pivot_rule($2, $3, name);
}
hat_start: TOK_CARET {}
@@ -1315,18 +1324,20 @@ struct mnt_entry *do_pivot_rule(struct cond_entry *old, char *root,
char *transition)
{
struct mnt_entry *ent = NULL;
-
+ char *device = NULL;
if (old) {
if (strcmp(old->name, "oldroot") != 0)
yyerror(_("invalid pivotroot conditional '%s'"), old->name);
+ if (old->vals) {
+ device = old->vals->value;
+ old->vals->value = NULL;
+ }
+ free_cond_entry(old);
}
- ent = new_mnt_entry(NULL, old->vals->value, NULL, root,
+ ent = new_mnt_entry(NULL, device, NULL, root,
AA_MAY_PIVOTROOT);
ent->trans = transition;
- old->vals->value = NULL;
- free_cond_entry(old);
-
return ent;
}
diff --git a/parser/tst/simple_tests/mount/pivot_ok1.sd b/parser/tst/simple_tests/mount/pivot_ok1.sd
new file mode 100644
index 0000000..5b6dea3
--- /dev/null
+++ b/parser/tst/simple_tests/mount/pivot_ok1.sd
@@ -0,0 +1,75 @@
+#
+#=Description basic pivot_root tests
+#=EXRESULT PASS
+#
+/usr/bin/a {
+ pivot_root /mnt/pnt,
+}
+
+/usr/bin/b {
+ pivot_root oldroot=/bar /mnt/pnt,
+}
+
+/usr/bin/c {
+ pivot_root oldroot=(/bar) /mnt/pnt,
+}
+
+/usr/bin/d {
+ pivot_root /mnt/pnt -> /profile,
+}
+
+/usr/bin/e {
+ pivot_root /mnt/pnt -> :ns:/profile,
+}
+
+/usr/bin/f {
+ pivot_root oldroot=/bar,
+}
+
+/usr/bin/g {
+ pivot_root oldroot=(/bar),
+}
+
+/usr/bin/h {
+ pivot_root oldroot=/bar -> /profile,
+}
+
+/usr/bin/i {
+ pivot_root oldroot=/bar -> :ns:/profile,
+}
+
+/usr/bin/j {
+ pivot_root oldroot=(/bar) -> /profile,
+}
+
+/usr/bin/k {
+ pivot_root oldroot=(/bar) -> :ns:/profile,
+}
+
+/usr/bin/l {
+ pivot_root -> /profile,
+}
+
+/usr/bin/m {
+ pivot_root -> :ns:/profile,
+}
+
+/usr/bin/n {
+ pivot_root oldroot=/bar /mnt/pnt -> /profile,
+}
+
+/usr/bin/o {
+ pivot_root oldroot=/bar /mnt/pnt -> :ns:/profile,
+}
+
+/usr/bin/p {
+ pivot_root oldroot=(/bar) /mnt/pnt -> /profile,
+}
+
+/usr/bin/q {
+ pivot_root oldroot=(/bar) /mnt/pnt -> :ns:/profile,
+}
+
+
+
+
--
1.7.9.1
More information about the AppArmor
mailing list