[apparmor] [patch] Fix parsing/storing bare file rules

Kshitij Gupta kgupta8592 at gmail.com
Wed Nov 18 20:16:05 UTC 2015 

On Wed, Oct 28, 2015 at 4:15 AM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> we replaced parse_audit_allow() with parse_modifiers() in r2833, but
> overlooked that parse_modifiers() returns allow/deny as boolean. This
> resulted in storing bare file rules in aa[profile][hat]['path'][False]
> instead of aa[profile][hat]['path']['allow'] (or True instead of 'deny'
> for 'deny file,' rules), with the user-visible result of loosing bare
> file rules when saving the profile.
>
> This patch converts the boolean value from parse_modifiers back to a
> string.
>
> Note: 2.9 is not affected because the old parse_audit_allow() returns
> 'allow' or 'deny' as string, not as boolean.
>
> BTW: I noticed this while playing with a more strict profile_storage()
> that uses more dict()s instead of a big hasher() monster.
>
*stricter* profile_storage() sounds rather nice and useful.


>
>
>
> [ 18-fix-bare-file-rule.diff ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-10-23 19:53:08.919616025 +0200
> +++ utils/apparmor/aa.py        2015-10-27 23:27:14.835966475 +0100
> @@ -2799,8 +2810,12 @@
>              if not profile:
>                  raise AppArmorException(_('Syntax Error: Unexpected bare
> file rule found in file: %(file)s line: %(line)s') % { 'file': file,
> 'line': lineno + 1 })
>
> -            audit, allow, allow_keyword, comment =
> parse_modifiers(matches)
> +            audit, deny, allow_keyword, comment = parse_modifiers(matches)
>              # TODO: honor allow_keyword and comment
> +            if deny:
> +                allow = 'deny'
>
I know we have this sort of thing at multiple places(I'll take that blame)
but it still is hilarious. Its basically "if False: true = False"

> +            else:
> +                allow = 'allow'
>
Nice catch BTW.

Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com> for trunk and 2.10


>              mode = apparmor.aamode.AA_BARE_FILE_MODE
>              if not matches.group('owner'):
>
>
> Regards,
>
> Christian Boltz
> --
> Natürlich kann man Bäume mit der Nagelschere fällen, und es ist
> bedeutend sicherer, als, sagenwirmal, eine Kettensäge. Trotzdem
> ist eine Säge das korrekte Werkzeug.      [Ratti in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>



-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151119/ef7d131c/attachment.html>

More information about the AppArmor mailing list