[apparmor] [patch] Fix handling of interpreters with parameters

Christian Boltz apparmor at cboltz.de
Sun Oct 18 15:20:06 UTC 2015 

Hello,

if a script contains a hashbang like
    #! /usr/bin/perl -w
aa-autodep created a profile entry like
    "/usr/bin/perl -w" ix,
which is obviously incorrect.

This patch fixes this (by using only the first part of the hashbang line)
and also adds some tests for it.

References: https://bugs.launchpad.net/apparmor/+bug/1505775


[ 95-fix-handling-interpreters-with-parameters.diff ]

--- utils/apparmor/aa.py        2015-10-18 16:45:00.661993736 +0200
+++ utils/apparmor/aa.py        2015-10-18 17:07:20.459211068 +0200
@@ -416,8 +416,9 @@
     if not hashbang.startswith('#!'):
         return None, None
 
-    interpreter = hashbang[2:].strip()
-    interpreter_path = get_full_path(interpreter)
+    # get the interpreter (without parameters)
+    interpreter = hashbang[2:].strip().split()
+    interpreter_path = get_full_path(interpreter[0])
     interpreter = re.sub('^(/usr)?/bin/', '', interpreter_path)
 
     if interpreter in ['bash', 'dash', 'sh']:
--- utils/test/test-aa.py       2015-10-18 16:45:00.663993620 +0200
+++ utils/test/test-aa.py       2015-10-18 17:10:34.845932254 +0200
@@ -105,7 +105,9 @@
         ('#!/bin/dash',             ('/bin/dash',           'abstractions/bash')),
         ('#!/bin/sh',               ('/bin/sh',             'abstractions/bash')),
         ('#!  /bin/sh  ',           ('/bin/sh',             'abstractions/bash')),
+        ('#!  /bin/sh  -x ',        ('/bin/sh',             'abstractions/bash')),  # '-x' is not part of the interpreter path
         ('#!/usr/bin/perl',         ('/usr/bin/perl',       'abstractions/perl')),
+        ('#!/usr/bin/perl -w',      ('/usr/bin/perl',       'abstractions/perl')),  # '-w' is not part of the interpreter path
         ('#!/usr/bin/python',       ('/usr/bin/python',     'abstractions/python')),
         ('#!/usr/bin/python2',      ('/usr/bin/python2',    'abstractions/python')),
         ('#!/usr/bin/python2.7',    ('/usr/bin/python2.7',  'abstractions/python')),


Regards,

Christian Boltz
-- 
We voted and a big majority wanted it this way. So dont blame this on me.
p.s. Although you can share-blame it on me. I was one of the peepz who
voted for it ;)   [Henne Vogelsang in opensuse-factory]

More information about the AppArmor mailing list