[apparmor] [PATCH 2/4] parser: Don't generate accept states for audit deny dbus and mount rules

John Johansen john.johansen at canonical.com
Fri Sep 27 14:06:26 UTC 2013 

On 09/26/2013 04:08 PM, Tyler Hicks wrote:
> Rules that have the audit and deny modifiers are to be explicitly denied
> and audited. However, accept states were incorrectly being generated
> with the deny and quiet masks set. This resulted in actions being denied
> but not audited.
> 
> Here's the old parser output for audit deny dbus and mount rules:
> 
>   $ dbus="/t { audit deny dbus, }"
>   $ mount="/t { audit deny mount, }"
>   $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
>   {1} <== (allow/deny/audit/quiet)
>   {3} (0x 0/40/0/40)
>   {7} (0x 0/46/0/46)
>   $ $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
>   {1} <== (allow/deny/audit/quiet)
>   {5} (0x 0/2/0/2)
> 
> With this patch, no accept states are generated which means that actions
> will be denied and audited:
> 
>   $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
>   {1} <== (allow/deny/audit/quiet)
>   $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
>   {1} <== (allow/deny/audit/quiet)
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  parser/parser_yacc.y | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index 3489ba6..6555c4a 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -658,7 +658,9 @@ rules:  rules opt_prefix mnt_rule
>  	{
>  		if ($2.owner)
>  			yyerror(_("owner prefix not allow on mount rules"));
> -		if ($2.deny) {
> +		if ($2.deny && $2.audit) {
> +			$3->deny = 1;
> +		} else if ($2.deny) {
>  			$3->deny = 1;
>  			$3->audit = $3->allow;
>  		} else if ($2.audit) {
> @@ -673,7 +675,9 @@ rules:  rules opt_prefix dbus_rule
>  	{
>  		if ($2.owner)
>  			yyerror(_("owner prefix not allow on dbus rules"));
> -		if ($2.deny) {
> +		if ($2.deny && $2.audit) {
> +			$3->deny = 1;
> +		} else if ($2.deny) {
>  			$3->deny = 1;
>  			$3->audit = $3->mode;
>  		} else if ($2.audit) {
>

More information about the AppArmor mailing list