[apparmor] [patch] add support for attachments to write_header()
Steve Beattie
steve at nxnw.org
Wed Apr 1 18:21:06 UTC 2015
On Sat, Mar 07, 2015 at 01:12:40AM +0100, Christian Boltz wrote:
> Hello,
>
> this patch adds support for attachments to write_header().
>
> It also fixes a little bug that added the profile keyword if the path
> needed quotes (profile "/foo bar" - but "/foo bar" is enough). This was
> caused by a regex that always matched on quoted paths (hint: "/ matches
> ^[^/] ;-)
>
> The patch also adds some tests with attachments and updates the test
> for the bugfix mentioned above.
>
>
> Now the remaining part is to make sure that prof_data['attachment'] gets
> set when parsing the profiles :-)
>
>
> [ 17_write_header_add_attachment.diff ]
Acked-by: Steve Beattie <steve at nxnw.org>, thanks
> === modified file utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-03-07 00:54:28.593218514 +0100
> +++ utils/apparmor/aa.py 2015-03-07 00:58:19.299575047 +0100
> @@ -3285,10 +3289,15 @@
> def write_header(prof_data, depth, name, embedded_hat, write_flags):
> pre = ' ' * depth
> data = []
> + unquoted_name = name
> name = quote_if_needed(name)
>
> - if (not embedded_hat and re.search('^[^/]|^"[^/]', name)) or (embedded_hat and re.search('^[^^]', name)):
> - name = 'profile %s' % name
> + attachment = ''
> + if prof_data['attachment']:
> + attachment = ' %s' % quote_if_needed(prof_data['attachment'])
> +
> + if (not embedded_hat and re.search('^[^/]', unquoted_name)) or (embedded_hat and re.search('^[^^]', unquoted_name)) or prof_data['attachment']:
> + name = 'profile %s%s' % (name, attachment)
>
> if write_flags and prof_data['flags']:
> data.append('%s%s flags=(%s) {' % (pre, name, prof_data['flags']))
> === modified file utils/test/test-aa.py
> --- utils/test/test-aa.py 2015-03-07 00:54:28.676213606 +0100
> +++ utils/test/test-aa.py 2015-03-07 00:59:34.443131176 +0100
> @@ -312,13 +312,19 @@
> # name embedded_hat write_flags depth flags attachment expected
> (['/foo', False, True, 1, 'complain', None ], ' /foo flags=(complain) {'),
> (['/foo', True, True, 1, 'complain', None ], ' profile /foo flags=(complain) {'),
> - (['/foo sp', False, False, 2, 'complain', None ], ' profile "/foo sp" {'), # XXX why is the profile keyword added here?
> + (['/foo sp', False, False, 2, 'complain', None ], ' "/foo sp" {'),
> (['/foo' ,False, False, 2, 'complain', None ], ' /foo {'),
> (['/foo', True, False, 2, 'complain', None ], ' profile /foo {'),
> (['/foo', False, True, 0, None, None ], '/foo {'),
> (['/foo', True, True, 0, None, None ], 'profile /foo {'),
> (['/foo', False, False, 0, None, None ], '/foo {'),
> (['/foo', True, False, 0, None, None ], 'profile /foo {'),
> + (['bar', False, True, 1, 'complain', None, ], ' profile bar flags=(complain) {'),
> + (['bar', False, True, 1, 'complain', '/foo' ], ' profile bar /foo flags=(complain) {'),
> + (['bar', True, True, 1, 'complain', '/foo' ], ' profile bar /foo flags=(complain) {'),
> + (['bar baz', False, True, 1, None, '/foo' ], ' profile "bar baz" /foo {'),
> + (['bar', True, True, 1, None, '/foo' ], ' profile bar /foo {'),
> + (['bar baz', False, True, 1, 'complain', '/foo sp' ], ' profile "bar baz" "/foo sp" flags=(complain) {'),
> (['^foo', False, True, 1, 'complain', None ], ' profile ^foo flags=(complain) {'),
> (['^foo', True, True, 1, 'complain', None ], ' ^foo flags=(complain) {'),
> ]
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150401/811f07e8/attachment.pgp>
More information about the AppArmor
mailing list