[apparmor] [PATCH 2/4] Fix pivot_root to support named transitions correctly

Steve Beattie steve at nxnw.org
Thu Mar 15 19:07:47 UTC 2012 

On Thu, Mar 15, 2012 at 09:36:26AM -0700, John Johansen wrote:
> Rename the pivotroot rule to pivot_root to match the command and the fn
> and fix it to support named transition correctly leveraging the parsing
> action used for exec transitions.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-By: Steve Beattie <sbeattie at ubuntu.com>

> ---
>  parser/parser_misc.c                       |    2 +-
>  parser/parser_yacc.y                       |   35 +++++++++-----
>  parser/tst/simple_tests/mount/pivot_ok1.sd |   75 ++++++++++++++++++++++++++++
>  3 files changed, 99 insertions(+), 13 deletions(-)
>  create mode 100644 parser/tst/simple_tests/mount/pivot_ok1.sd
> 
> diff --git a/parser/parser_misc.c b/parser/parser_misc.c
> index ab79855..7ff6348 100644
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -83,7 +83,7 @@ static struct keyword_table keyword_table[] = {
>  	{"remount",		TOK_REMOUNT},
>  	{"umount",		TOK_UMOUNT},
>  	{"unmount",		TOK_UMOUNT},
> -	{"pivotroot",		TOK_PIVOTROOT},
> +	{"pivot_root",		TOK_PIVOTROOT},
>  	/* terminate */
>  	{NULL, 0}
>  };
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index 86bf293..ff8975f 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -1116,14 +1116,23 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
>  		$$ = do_mnt_rule($2, NULL, NULL, $3, AA_MAY_UMOUNT);
>  	}
>  
> -mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_END_OF_RULE
> -	{
> -		$$ = do_pivot_rule($2, $3, NULL);
> -	}
> +mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
> +	{
> +		char *name = NULL;
> +		if ($4.present && $4.namespace) {
> +			name = malloc(strlen($4.namespace) +
> +				      strlen($4.name) + 3);
> +			if (!name) {
> +				PERROR("Memory allocation error\n");
> +				exit(1);
> +			}
> +			sprintf(name, ":%s:%s", $4.namespace, $4.name);
> +			free($4.namespace);
> +			free($4.name);
> +		} else if ($4.present)
> +			name = $4.name;
>  
> -mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE
> -	{
> -		$$ = do_pivot_rule($2, $3, $5);
> +		$$ = do_pivot_rule($2, $3, name);
>  	}
>  
>  hat_start: TOK_CARET {}
> @@ -1315,18 +1324,20 @@ struct mnt_entry *do_pivot_rule(struct cond_entry *old, char *root,
>  				char *transition)
>  {
>  	struct mnt_entry *ent = NULL;
> -
> +	char *device = NULL;
>  	if (old) {
>  		if (strcmp(old->name, "oldroot") != 0)
>  			yyerror(_("invalid pivotroot conditional '%s'"), old->name);
> +		if (old->vals) {
> +			device = old->vals->value;
> +			old->vals->value = NULL;
> +		}
> +		free_cond_entry(old);
>  	}
>  
> -	ent = new_mnt_entry(NULL, old->vals->value, NULL, root,
> +	ent = new_mnt_entry(NULL, device, NULL, root,
>  			    AA_MAY_PIVOTROOT);
>  	ent->trans = transition;
>  
> -	old->vals->value = NULL;
> -	free_cond_entry(old);
> -
>  	return ent;
>  }
> diff --git a/parser/tst/simple_tests/mount/pivot_ok1.sd b/parser/tst/simple_tests/mount/pivot_ok1.sd
> new file mode 100644
> index 0000000..5b6dea3
> --- /dev/null
> +++ b/parser/tst/simple_tests/mount/pivot_ok1.sd
> @@ -0,0 +1,75 @@
> +#
> +#=Description basic pivot_root tests
> +#=EXRESULT PASS
> +#
> +/usr/bin/a {
> +  pivot_root /mnt/pnt,
> +}
> +
> +/usr/bin/b {
> +  pivot_root oldroot=/bar /mnt/pnt,
> +}
> +
> +/usr/bin/c {
> +  pivot_root oldroot=(/bar) /mnt/pnt,
> +}
> +
> +/usr/bin/d {
> +  pivot_root /mnt/pnt -> /profile,
> +}
> +
> +/usr/bin/e {
> +  pivot_root /mnt/pnt -> :ns:/profile,
> +}
> +
> +/usr/bin/f {
> +  pivot_root oldroot=/bar,
> +}
> +
> +/usr/bin/g {
> +  pivot_root oldroot=(/bar),
> +}
> +
> +/usr/bin/h {
> +  pivot_root oldroot=/bar -> /profile,
> +}
> +
> +/usr/bin/i {
> +  pivot_root oldroot=/bar -> :ns:/profile,
> +}
> +
> +/usr/bin/j {
> +  pivot_root oldroot=(/bar) -> /profile,
> +}
> +
> +/usr/bin/k {
> +  pivot_root oldroot=(/bar) -> :ns:/profile,
> +}
> +
> +/usr/bin/l {
> +  pivot_root -> /profile,
> +}
> +
> +/usr/bin/m {
> +  pivot_root -> :ns:/profile,
> +}
> +
> +/usr/bin/n {
> +  pivot_root oldroot=/bar /mnt/pnt -> /profile,
> +}
> +
> +/usr/bin/o {
> +  pivot_root oldroot=/bar /mnt/pnt -> :ns:/profile,
> +}
> +
> +/usr/bin/p {
> +  pivot_root oldroot=(/bar) /mnt/pnt -> /profile,
> +}
> +
> +/usr/bin/q {
> +  pivot_root oldroot=(/bar) /mnt/pnt -> :ns:/profile,
> +}
> +
> +
> +
> +
> -- 
> 1.7.9.1
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120315/d816f252/attachment-0001.pgp>

More information about the AppArmor mailing list