[apparmor] [patch] Fix handling of interpreters with parameters
Christian Boltz
apparmor at cboltz.de
Sun Oct 18 15:20:06 UTC 2015
Hello,
if a script contains a hashbang like
#! /usr/bin/perl -w
aa-autodep created a profile entry like
"/usr/bin/perl -w" ix,
which is obviously incorrect.
This patch fixes this (by using only the first part of the hashbang line)
and also adds some tests for it.
References: https://bugs.launchpad.net/apparmor/+bug/1505775
[ 95-fix-handling-interpreters-with-parameters.diff ]
--- utils/apparmor/aa.py 2015-10-18 16:45:00.661993736 +0200
+++ utils/apparmor/aa.py 2015-10-18 17:07:20.459211068 +0200
@@ -416,8 +416,9 @@
if not hashbang.startswith('#!'):
return None, None
- interpreter = hashbang[2:].strip()
- interpreter_path = get_full_path(interpreter)
+ # get the interpreter (without parameters)
+ interpreter = hashbang[2:].strip().split()
+ interpreter_path = get_full_path(interpreter[0])
interpreter = re.sub('^(/usr)?/bin/', '', interpreter_path)
if interpreter in ['bash', 'dash', 'sh']:
--- utils/test/test-aa.py 2015-10-18 16:45:00.663993620 +0200
+++ utils/test/test-aa.py 2015-10-18 17:10:34.845932254 +0200
@@ -105,7 +105,9 @@
('#!/bin/dash', ('/bin/dash', 'abstractions/bash')),
('#!/bin/sh', ('/bin/sh', 'abstractions/bash')),
('#! /bin/sh ', ('/bin/sh', 'abstractions/bash')),
+ ('#! /bin/sh -x ', ('/bin/sh', 'abstractions/bash')), # '-x' is not part of the interpreter path
('#!/usr/bin/perl', ('/usr/bin/perl', 'abstractions/perl')),
+ ('#!/usr/bin/perl -w', ('/usr/bin/perl', 'abstractions/perl')), # '-w' is not part of the interpreter path
('#!/usr/bin/python', ('/usr/bin/python', 'abstractions/python')),
('#!/usr/bin/python2', ('/usr/bin/python2', 'abstractions/python')),
('#!/usr/bin/python2.7', ('/usr/bin/python2.7', 'abstractions/python')),
Regards,
Christian Boltz
--
We voted and a big majority wanted it this way. So dont blame this on me.
p.s. Although you can share-blame it on me. I was one of the peepz who
voted for it ;) [Henne Vogelsang in opensuse-factory]
More information about the AppArmor
mailing list