[apparmor] [patch] support for bare keywords in perl utils
Steve Beattie
steve at nxnw.org
Fri Aug 1 20:15:13 UTC 2014
On Wed, Jul 30, 2014 at 11:42:05PM +0200, Christian Boltz wrote:
> I received three patches from Jeff to add support for the bare network,
> capability and file keywords.
>
> I propose Jeff's patches for 2.8 and trunk/deprecated.
>
>
> I'll paste all three patches into this mail, the patch headers contain
> detailed descriptions what the patches do.
Thanks for passing these along.
> +++++ perl-apparmor-fix-bare-network-keyword-handling.diff (new)
> -- perl-apparmor-fix-bare-network-keyword-handling.diff
> ++ perl-apparmor-fix-bare-network-keyword-handling.diff
> @ -0,0 +1,34 @@
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: perl-apparmor: Fix bare 'network' keyword handling
> References: bnc#889650
>
> The 'network' bare keyword was being printed as "audit network all" due to
> two different bugs:
>
> 1) {audit}{all} was always being set to 1, regardless of whether the audit
> keyword was used
> 2) {rule} eq 'all' is the wrong test - it should be {rule}{all}
>
> With these fixed, 'network' is properly handled.
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-by: Steve Beattie <steve at nxnw.org>
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -5353,7 +5368,7 @@
> $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit;
> } else {
> $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1;
> - $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1;
> + $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit;
> }
> } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) {
> # just ignore and drop old style network
> @@ -5708,7 +5729,7 @@
> # dump out the netdomain entries...
> if (exists $profile_data->{$allow}{netdomain}) {
> if ( $profile_data->{$allow}{netdomain}{rule} &&
> - $profile_data->{$allow}{netdomain}{rule} eq 'all') {
> + $profile_data->{$allow}{netdomain}{rule}{all}) {
> $audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all};
> push @data, "${pre}${audit}network,";
> } else {
>
> +++++ perl-apparmor-handle-bare-capability-keyword.diff (new)
> -- perl-apparmor-handle-bare-capability-keyword.diff
> ++ perl-apparmor-handle-bare-capability-keyword.diff
> @ -0,0 +1,43 @@
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: perl-apparmor: Handle bare 'capability' keyword
> References: bnc#889651
>
> Specifying 'capability' implies all capabilities, but the perl code didn't
> recognize it.
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-by: Steve Beattie <steve at nxnw.org>
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -5151,7 +5151,7 @@
>
> $initial_comment = "";
>
> - } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry
> + } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) { # capability entry
> if (not $profile) {
> die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
> }
> @@ -5159,7 +5159,7 @@
> my $audit = $1 ? 1 : 0;
> my $allow = $2 ? 'deny' : 'allow';
> $allow = 'deny' if ($2);
> - my $capability = $3;
> + my $capability = $3 ? $3 : 'all';
> $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1;
> $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit;
> } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry
> @@ -5675,7 +5690,13 @@
>
> my @data;
> if (exists $profile_data->{$allow}{capability}) {
> - for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
> + my $audit;
> + if (exists $profile_data->{$allow}{capability}{all}) {
> + $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : '';
> + push @data, "${pre}${audit}${allowstr}capability,";
> + }
> + for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
> + next if ($cap eq "all");
> my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : '';
> if ($profile_data->{$allow}{capability}{$cap}{set}) {
> push @data, "${pre}${audit}${allowstr}capability ${cap},";
>
> +++++ perl-apparmor-properly-handle-bare-file-keyword.diff (new)
> -- perl-apparmor-properly-handle-bare-file-keyword.diff
> ++ perl-apparmor-properly-handle-bare-file-keyword.diff
> @ -0,0 +1,73 @@
> From: Jeff Mahoney <jeffm at suse.com>
> Subject: perl-apparmor: Properly handle bare 'file' keyword
> References: bnc#889652
>
> The bare file keyword is a shortcut for /{**,}. There are also implied
> permissions that go with it.
>
> This patch accepts the file keyword as well as allowing for missing mode
> specifiers.
>
> Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-by: Steve Beattie <steve at nxnw.org>
> ---
>
> utils/Immunix/AppArmor.pm | 27 ++++++++++++++++++++++++---
> 1 file changed, 24 insertions(+), 3 deletions(-)
>
> --- a/utils/Immunix/AppArmor.pm
> +++ b/utils/Immunix/AppArmor.pm
> @@ -5252,7 +5252,7 @@
> } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean
> } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined
> } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined
> - } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry
> + } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry
> if (not $profile) {
> die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
> }
> @@ -5260,7 +5260,19 @@
> my $audit = $1 ? 1 : 0;
> my $allow = $2 ? 'deny' : 'allow';
> my $user = $3 ? 1 : 0;
> - my ($path, $mode, $nt_name) = ($4, $5, $7);
> + my ($path, $mode, $nt_name) = ($5, $6, $8);
> + my $file_keyword = 0;
> + my $use_mode = 1;
> +
> + if ($4 eq "file") {
> + $path = "/{**,}";
> + $file_keyword = 1;
> + if (!$mode) {
> + # what the parser uses, but we don't care
> + $mode = "rwixlka";
> + $use_mode = 0;
> + }
> + }
>
> # strip off any trailing spaces.
> $path =~ s/\s+$//;
> @@ -5281,6 +5293,9 @@
> fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode));
> }
>
> + $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode;
> + $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword;
> +
> my $tmpmode;
> if ($user) {
> $tmpmode = str_to_mode("${mode}::");
> @@ -5838,7 +5859,13 @@
> }
> $tmpmode &= ~$tmpaudit;
> }
> - if ($tmpmode) {
> + my $kw = $profile_data->{$allow}{path}{$path}{file_keyword};
> + my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode};
> + if ($kw) {
> + my $modestr = "";
> + $modestr = " " . mode_to_str($tmpmode) if $use_mode;
> + push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},";
> + } elsif ($tmpmode) {
> my $modestr = mode_to_str($tmpmode);
> if ($path =~ /\s/) {
> push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140801/de2ab4aa/attachment.pgp>
More information about the AppArmor
mailing list