[apparmor] [patch] Write unix rules when saving a profile

Fri Dec 4 21:33:04 UTC 2015

Hello,

r2637 added support for parsing unix rules, but forgot to add write
support. The result was that a profile lost its unix rules when it was
saved.

This patch adds the write_unix_rules() and write_unix() functions (based
on the write_pivot_root() and write_pivot_root_rules() functions) and
makes sure they get called at the right place.

The cleanprof testcase gets an unix rule added to ensure it's not
deleted when writing the profile. (Note that minitools_test.py is not
part of the default "make check", however I always run it.)


I propose this patch for trunk, 2.10 and 2.9, which all share this bug.


References: https://bugs.launchpad.net/apparmor/+bug/1522938
            https://bugzilla.opensuse.org/show_bug.cgi?id=954104




[ 27-write-unix-rules.diff ]

=== modified file ./utils/apparmor/aa.py

--- utils/apparmor/aa.py        2015-12-04 17:57:47.425282368 +0100
+++ utils/apparmor/aa.py        2015-12-04 22:15:31.285584049 +0100
@@ -3369,6 +3369,24 @@
     data += write_pivot_root_rules(prof_data, depth, 'allow')
     return data
 
+def write_unix_rules(prof_data, depth, allow):
+    pre = '  ' * depth
+    data = []
+
+    # no unix rules, so return
+    if not prof_data[allow].get('unix', False):
+        return data
+
+    for unix_rule in prof_data[allow]['unix']:
+        data.append('%s%s' % (pre, unix_rule.serialize()))
+    data.append('')
+    return data
+
+def write_unix(prof_data, depth):
+    data = write_unix_rules(prof_data, depth, 'deny')
+    data += write_unix_rules(prof_data, depth, 'allow')
+    return data
+
 def write_link_rules(prof_data, depth, allow):
     pre = '  ' * depth
     data = []
@@ -3480,6 +3498,7 @@
     data += write_signal(prof_data, depth)
     data += write_ptrace(prof_data, depth)
     data += write_pivot_root(prof_data, depth)
+    data += write_unix(prof_data, depth)
     data += write_links(prof_data, depth)
     data += write_paths(prof_data, depth)
     data += write_change_profile(prof_data, depth)
@@ -3636,6 +3655,7 @@
                          'signal': write_signal,
                          'ptrace': write_ptrace,
                          'pivot_root': write_pivot_root,
+                         'unix': write_unix,
                          'link': write_links,
                          'path': write_paths,
                          'change_profile': write_change_profile,
@@ -3651,6 +3671,7 @@
                                 'signal',
                                 'ptrace',
                                 'pivot_root',
+                                'unix',
                                 'link',
                                 'path',
                                 'change_profile',
=== modified file ./utils/test/cleanprof_test.in
--- utils/test/cleanprof_test.in        2015-06-19 21:44:07.210839000 +0200
+++ utils/test/cleanprof_test.in        2015-12-04 22:16:24.161247856 +0100
@@ -8,6 +8,8 @@
        allow /usr/share/X11/locale/**  r,
        allow /home/*/** r,
 
+    unix (receive) type=dgram,
+
     ^foo {
             /etc/fstab r,
         capability dac_override,
=== modified file ./utils/test/cleanprof_test.out
--- utils/test/cleanprof_test.out       2015-06-14 01:22:34.685032124 +0200
+++ utils/test/cleanprof_test.out       2015-12-04 22:16:36.529169204 +0100
@@ -6,6 +6,8 @@
 /usr/bin/a/simple/cleanprof/test/profile {
   #include <abstractions/base>
 
+  unix (receive) type=dgram,
+
   /home/*/** r,
   /home/foo/** w,
 



Regards,

Christian Boltz
-- 
Um es mal so zu sagen: Ich Kohlenstoff. Computer Silizium.
Silizium gefälligst so hüpfen, wie Kohlenstoff sagt, nicht umgekehrt.
[Ratti in suse-linux]


