[apparmor] [patch] add support for attachments to write_header()

Christian Boltz apparmor at cboltz.de
Sat Mar 7 00:12:40 UTC 2015


Hello,

this patch adds support for attachments to write_header().

It also fixes a little bug that added the profile keyword if the path 
needed quotes (profile "/foo bar" - but "/foo bar" is enough). This was 
caused by a regex that always matched on quoted paths (hint: "/ matches
^[^/] ;-)

The patch also adds some tests with attachments and updates the test
for the bugfix mentioned above.


Now the remaining part is to make sure that prof_data['attachment'] gets
set when parsing the profiles :-)


[ 17_write_header_add_attachment.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-03-07 00:54:28.593218514 +0100
+++ utils/apparmor/aa.py        2015-03-07 00:58:19.299575047 +0100
@@ -3285,10 +3289,15 @@
 def write_header(prof_data, depth, name, embedded_hat, write_flags):
     pre = '  ' * depth
     data = []
+    unquoted_name = name
     name = quote_if_needed(name)
 
-    if (not embedded_hat and re.search('^[^/]|^"[^/]', name)) or (embedded_hat and re.search('^[^^]', name)):
-        name = 'profile %s' % name
+    attachment = ''
+    if prof_data['attachment']:
+        attachment = ' %s' % quote_if_needed(prof_data['attachment'])
+
+    if (not embedded_hat and re.search('^[^/]', unquoted_name)) or (embedded_hat and re.search('^[^^]', unquoted_name)) or prof_data['attachment']:
+        name = 'profile %s%s' % (name, attachment)
 
     if write_flags and prof_data['flags']:
         data.append('%s%s flags=(%s) {' % (pre, name, prof_data['flags']))
=== modified file utils/test/test-aa.py
--- utils/test/test-aa.py       2015-03-07 00:54:28.676213606 +0100
+++ utils/test/test-aa.py       2015-03-07 00:59:34.443131176 +0100
@@ -312,13 +312,19 @@
         # name       embedded_hat    write_flags    depth   flags           attachment      expected
         (['/foo',    False,          True,          1,      'complain',     None        ],  '  /foo flags=(complain) {'),
         (['/foo',    True,           True,          1,      'complain',     None        ],  '  profile /foo flags=(complain) {'),
-        (['/foo sp', False,          False,         2,      'complain',     None        ],  '    profile "/foo sp" {'), # XXX why is the profile keyword added here?
+        (['/foo sp', False,          False,         2,      'complain',     None        ],  '    "/foo sp" {'),
         (['/foo'    ,False,          False,         2,      'complain',     None        ],  '    /foo {'),
         (['/foo',    True,           False,         2,      'complain',     None        ],  '    profile /foo {'),
         (['/foo',    False,          True,          0,      None,           None        ],  '/foo {'),
         (['/foo',    True,           True,          0,      None,           None        ],  'profile /foo {'),
         (['/foo',    False,          False,         0,      None,           None        ],  '/foo {'),
         (['/foo',    True,           False,         0,      None,           None        ],  'profile /foo {'),
+        (['bar',     False,          True,          1,      'complain',     None,       ],  '  profile bar flags=(complain) {'),
+        (['bar',     False,          True,          1,      'complain',     '/foo'      ],  '  profile bar /foo flags=(complain) {'),
+        (['bar',     True,           True,          1,      'complain',     '/foo'      ],  '  profile bar /foo flags=(complain) {'),
+        (['bar baz', False,          True,          1,      None,           '/foo'      ],  '  profile "bar baz" /foo {'),
+        (['bar',     True,           True,          1,      None,           '/foo'      ],  '  profile bar /foo {'),
+        (['bar baz', False,          True,          1,      'complain',     '/foo sp'   ],  '  profile "bar baz" "/foo sp" flags=(complain) {'),
         (['^foo',    False,          True,          1,      'complain',     None        ],  '  profile ^foo flags=(complain) {'),
         (['^foo',    True,           True,          1,      'complain',     None        ],  '  ^foo flags=(complain) {'),
      ]



Regards,

Christian Boltz
-- 
> Und fuer die Jahre-Hiersein finde ich die zwei Ergebnisse
> (unechte Mini-FAQ und Etikette) recht duenn!!!!!!!!
Ich glaub es hackt. Du kannst ja das Geld zurück verlangen, wenn es Dir
nicht paßt.       [> toRBEN pOLLmann und Bernd Brodesser in suse-linux]




More information about the AppArmor mailing list