[apparmor] [PATCH 4/4] Fix the bare file rule so that it grants access to to root
John Johansen
john.johansen at canonical.com
Thu Mar 15 16:36:28 UTC 2012
file, should grant access to all files paths on the system but it does
not currently allow access to /
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_yacc.y | 2 +-
tests/regression/apparmor/open.sh | 3 +++
2 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index ff8975f..65cf365 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -963,7 +963,7 @@ frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
file_rule: TOK_FILE TOK_END_OF_RULE
{
- char *path = strdup("/**");
+ char *path = strdup("/{**,}");
int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
(AA_EXEC_INHERIT | AA_MAY_EXEC));
/* duplicate to other permission set */
diff --git a/tests/regression/apparmor/open.sh b/tests/regression/apparmor/open.sh
index 0c8b0c2..127b87e 100755
--- a/tests/regression/apparmor/open.sh
+++ b/tests/regression/apparmor/open.sh
@@ -60,6 +60,9 @@ runchecktest "OPEN W (create)" fail $file
genprofile file
runchecktest "OPEN 'file' RW" pass $file
+# Test the raw 'file,' rule allows accessing root
+runchecktest "OPEN 'file' R" pass "/"
+
# this test is to make sure the raw 'file' rule allows access to things
# that are not covered by the owner rule
chown nobody $file
--
1.7.9.1
More information about the AppArmor
mailing list