[apparmor] [PATCH 01/10] Fix compilation failure of deny link rules

Steve Beattie steve at nxnw.org
Fri Mar 20 17:21:53 UTC 2015 

On Fri, Mar 20, 2015 at 05:02:25AM -0700, John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/1433829
> 
> The apparmor_parser fails to compile deny rules with only link permissions.
> 
>   Eg.
>        deny /f l,
>        deny l /f,
>        deny link /f -> /d,
> 
> Will all fail to compile with the following assert
> 
>   apparmor_parser: aare_rules.cc:99: Node* convert_file_perms(int, uint32_t, uint32_t, bool): Assertion `perms != 0' failed.
> 
> NOTE: this is a minimal patch a bigger patch that cleans-up and separates
>       and reorganizes file, link, exec, and change_profile rules is needed
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

This took me too long to think about, but
Acked-by: Steve Beattie <steve at nxnw.org> for trunk and 2.9.
Thanks.

> ---
>  parser/parser_regex.c                              | 9 +++++++--
>  parser/tst/simple_tests/file/ok_audit_deny_link.sd | 9 +++++++++
>  parser/tst/simple_tests/file/ok_deny_link.sd       | 9 +++++++++
>  3 files changed, 25 insertions(+), 2 deletions(-)
>  create mode 100644 parser/tst/simple_tests/file/ok_audit_deny_link.sd
>  create mode 100644 parser/tst/simple_tests/file/ok_deny_link.sd
> 
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 45f7f3e..96f377a 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -522,9 +522,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
>  	 * out by a deny rule, as both pieces of the link pair must
>  	 * match.  audit info for the link is carried on the second
>  	 * entry of the pair
> +	 *
> +	 * So if a deny rule only record it if there are permissions other
> +	 * than link in the entry.
> +	 * TODO: split link and change_profile entries earlier
>  	 */
> -	if (entry->deny && (entry->mode & AA_LINK_BITS)) {
> -		if (!dfarules->add_rule(tbuf.c_str(), entry->deny,
> +	if (entry->deny) {
> +		if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
> +		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
>  					entry->mode & ~AA_LINK_BITS,
>  					entry->audit & ~AA_LINK_BITS, dfaflags))
>  			return FALSE;
> diff --git a/parser/tst/simple_tests/file/ok_audit_deny_link.sd b/parser/tst/simple_tests/file/ok_audit_deny_link.sd
> new file mode 100644
> index 0000000..393f906
> --- /dev/null
> +++ b/parser/tst/simple_tests/file/ok_audit_deny_link.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION simple link access test
> +#=EXRESULT PASS
> +#
> +
> +profile test {
> +  audit deny link /alpha/beta -> /tmp/**,
> +}
> +
> diff --git a/parser/tst/simple_tests/file/ok_deny_link.sd b/parser/tst/simple_tests/file/ok_deny_link.sd
> new file mode 100644
> index 0000000..fe0684c
> --- /dev/null
> +++ b/parser/tst/simple_tests/file/ok_deny_link.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION simple link access test
> +#=EXRESULT PASS
> +#
> +
> +profile test {
> +  deny link /alpha/beta -> /tmp/**,
> +}
> +

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150320/4b176c62/attachment.pgp>

More information about the AppArmor mailing list