[apparmor] [PATCH 2/3] Fix @{profile_name} variable to not be a fqname

Wed Jun 17 11:21:12 UTC 2015

The @{profile_name} is incorrectly expanded as a fully qualified path
including its namespace if one was specified in the profile declaration.

ie.
  profile :ns://a {
     ptrace @{profile_name},
     # expands to
     # ptrace :ns://a,
}

This is wrong however because within a profile if a rule refers
to a namespace it will be wrt a sub-namespace.  That is in the above
example the ptrace rule is refering to a profile in a subnamespace
"ns".

Or from the current profile declaration scope
 :ns//ns://a

Instead @{profile_name} should expand into the hname (hierarchical name),
which is the profile hierarchy specification within the namespace the
profile is part of.

In this case
    a

or for a child profile case
  profile :ns://a {
     profile b {
        ptrace @{profile_name},
  }
}

the hname expansion would be
  a//b

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_variable.c |  2 +-
 parser/tst/equality.sh   | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index 7250c0b..d8f77f3 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -297,7 +297,7 @@ int process_profile_variables(Profile *prof)
 	error = process_variables_in_name(*prof);
 
 	if (!error)
-		error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(true).c_str());
+		error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(false).c_str());
 
 	if (!error)
 		error = process_variables_in_entries(prof->entries);
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index 3beed27..fc85e03 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -464,6 +464,30 @@ verify_binary_equality "change_profile == change_profile -> **" \
 		       "/t { change_profile /**, }" \
 		       "/t { change_profile /** -> **, }"
 
+verify_binary_equality "profile name is hname in rule" \
+	":ns:/hname { signal peer=/hname, }" \
+	":ns:/hname { signal peer=@{profile_name}, }"
+
+verify_binary_inequality "profile name in NOT fq name in rule" \
+	":ns:/hname { signal peer=:ns:/hname, }" \
+	":ns:/hname { signal peer=@{profile_name}, }"
+
+verify_binary_equality "profile name is hname in sub pofile rule" \
+	":ns:/hname { profile child { signal peer=/hname//child, } }" \
+	":ns:/hname { profile child { signal peer=@{profile_name}, } }"
+
+verify_binary_inequality "profile name in NOT fq name in sub profile rule" \
+	":ns:/hname { profile child { signal peer=:ns:/hname//child, } }" \
+	":ns:/hname { profile child { signal peer=@{profile_name}, } }"
+
+verify_binary_equality "profile name is hname in hat rule" \
+	":ns:/hname { ^child { signal peer=/hname//child, } }" \
+	":ns:/hname { ^child { signal peer=@{profile_name}, } }"
+
+verify_binary_inequality "profile name in NOT fq name in hat rule" \
+	":ns:/hname { ^child { signal peer=:ns:/hname//child, } }" \
+	":ns:/hname { ^child { signal peer=@{profile_name}, } }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
-- 
2.1.4


