[apparmor] [PATCH 4/4] Fix the bare file rule so that it grants access to to root

Steve Beattie steve at nxnw.org
Thu Mar 15 19:13:01 UTC 2012 

On Thu, Mar 15, 2012 at 09:36:28AM -0700, John Johansen wrote:
> file, should grant access to all files paths on the system but it does
> not currently allow access to /
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Patch to parser_yacc.y is fine (and ACKed, but...

> ---
>  parser/parser_yacc.y              |    2 +-
>  tests/regression/apparmor/open.sh |    3 +++
>  2 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index ff8975f..65cf365 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -963,7 +963,7 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
>  
>  file_rule: TOK_FILE TOK_END_OF_RULE
>  	{
> -		char *path = strdup("/**");
> +		char *path = strdup("/{**,}");
>  		int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
>  			     (AA_EXEC_INHERIT | AA_MAY_EXEC));
>  		/* duplicate to other permission set */
> diff --git a/tests/regression/apparmor/open.sh b/tests/regression/apparmor/open.sh
> index 0c8b0c2..127b87e 100755
> --- a/tests/regression/apparmor/open.sh
> +++ b/tests/regression/apparmor/open.sh
> @@ -60,6 +60,9 @@ runchecktest "OPEN W (create)" fail $file
>  genprofile file
>  runchecktest "OPEN 'file' RW" pass $file
>  
> +# Test the raw 'file,' rule allows accessing root
> +runchecktest "OPEN 'file' R" pass "/"
> +

this test is wrong, as the open will fail opening a directory ('/'). The
readdir.sh test script is probably where you want to test this.

>  # this test is to make sure the raw 'file' rule allows access to things
>  # that are not covered by the owner rule
>  chown nobody $file
> -- 
> 1.7.9.1
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120315/6278bd51/attachment.pgp>

More information about the AppArmor mailing list