[apparmor] [patch] Fix handling of interpreters with parameters

Kshitij Gupta kgupta8592 at gmail.com
Sun Oct 18 19:11:55 UTC 2015 

Hello,

On Sun, Oct 18, 2015 at 8:50 PM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> if a script contains a hashbang like
>     #! /usr/bin/perl -w
> aa-autodep created a profile entry like
>     "/usr/bin/perl -w" ix,
> which is obviously incorrect.
>
> This patch fixes this (by using only the first part of the hashbang line)
> and also adds some tests for it.
>
> References: https://bugs.launchpad.net/apparmor/+bug/1505775
>
>
> [ 95-fix-handling-interpreters-with-parameters.diff ]
>
> --- utils/apparmor/aa.py        2015-10-18 16:45:00.661993736 +0200
> +++ utils/apparmor/aa.py        2015-10-18 17:07:20.459211068 +0200
> @@ -416,8 +416,9 @@
>      if not hashbang.startswith('#!'):
>          return None, None
>
> -    interpreter = hashbang[2:].strip()
> -    interpreter_path = get_full_path(interpreter)
> +    # get the interpreter (without parameters)
> +    interpreter = hashbang[2:].strip().split()
>
I'd like to call it "interpreter_and_flags_and_parameters_stuff" but could
settle for "interpreter_and_flags".
Or we can make it:
interpreter_path = hashbang[2:].strip().split()[0]

Or
interpreter_and_flags = hashbang[2:].strip().split()
interpreter_path = interpreter_and_flags[0]

This way the name is accurate and we don't have to use interpreter variable
to represent two different things (the other one being below).

+    interpreter_path = get_full_path(interpreter[0])
>      interpreter = re.sub('^(/usr)?/bin/', '', interpreter_path)
>
How about we inline it to: interpreter = re.sub('^(/usr)?/bin/', '',
get_full_path(interpreter_and_flags[0]))


>      if interpreter in ['bash', 'dash', 'sh']:
> --- utils/test/test-aa.py       2015-10-18 16:45:00.663993620 +0200
> +++ utils/test/test-aa.py       2015-10-18 17:10:34.845932254 +0200
> @@ -105,7 +105,9 @@
>          ('#!/bin/dash',             ('/bin/dash',
>  'abstractions/bash')),
>          ('#!/bin/sh',               ('/bin/sh',
>  'abstractions/bash')),
>          ('#!  /bin/sh  ',           ('/bin/sh',
>  'abstractions/bash')),
> +        ('#!  /bin/sh  -x ',        ('/bin/sh',
>  'abstractions/bash')),  # '-x' is not part of the interpreter path
>          ('#!/usr/bin/perl',         ('/usr/bin/perl',
>  'abstractions/perl')),
> +        ('#!/usr/bin/perl -w',      ('/usr/bin/perl',
>  'abstractions/perl')),  # '-w' is not part of the interpreter path
>          ('#!/usr/bin/python',       ('/usr/bin/python',
>  'abstractions/python')),
>          ('#!/usr/bin/python2',      ('/usr/bin/python2',
> 'abstractions/python')),
>          ('#!/usr/bin/python2.7',    ('/usr/bin/python2.7',
> 'abstractions/python')),
>
> With suggestions considered/incorporated.

Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.

>
> Regards,
>
> Christian Boltz
> --
> We voted and a big majority wanted it this way. So dont blame this on me.
> p.s. Although you can share-blame it on me. I was one of the peepz who
> voted for it ;)   [Henne Vogelsang in opensuse-factory]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>



-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151019/10211444/attachment.html>

More information about the AppArmor mailing list