[apparmor] [PATCH 2/3] Fix permission mapping for change_profile onexec

Thu Mar 22 18:44:54 UTC 2012

The kernel has an extended test for change_profile when used with
onexec, that allows it to only work against set executables.

The parser is not correctly mapping change_profile for this test
update the mapping so change_onexec will work when confined.

Note: the parser does not currently support the extended syntax
that the kernel test allows for, this just enables it to work
for the generic case.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/immunix.h      |    1 +
 parser/parser_regex.c |   26 +++++++++++++++++---------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/parser/immunix.h b/parser/immunix.h
index 8dc157a..ebb2d2e 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -61,6 +61,7 @@
 #define AA_PTRACE_PERMS			(AA_USER_PTRACE | AA_OTHER_PTRACE)
 
 #define AA_CHANGE_HAT			(1 << 30)
+#define AA_ONEXEC			(1 << 30)
 #define AA_CHANGE_PROFILE		(1 << 31)
 #define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
 
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 8c34799..d0293e1 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -510,19 +510,27 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 			return FALSE;
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
+		char *vec[3];
+		char lbuf[PATH_MAX + 8];
+		int index = 1;
+
+		/* allow change_profile for all execs */
+		vec[0] = "/[^/\x00]*";
+
 		if (entry->namespace) {
-			char *vec[2];
-			char lbuf[PATH_MAX + 8];
 			int pos;
 			ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8, &pos);
-			vec[0] = lbuf;
-			vec[1] = tbuf;
-			if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec, dfaflags))
-			    return FALSE;
-		} else {
-		  if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0, dfaflags))
-				return FALSE;
+			vec[index++] = lbuf;
 		}
+		vec[index++] = tbuf;
+
+		/* regular change_profile rule */
+		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index -1, &vec[1], dfaflags))
+			return FALSE;
+		/* onexec rule - both rules are needed for onexec */
+		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags))
+			return FALSE;
+
 	}
 	if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
 		int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
-- 
1.7.9.1


