[apparmor] [patch] Fix handling of interpreters with parameters
Kshitij Gupta
kgupta8592 at gmail.com
Sun Oct 18 19:11:55 UTC 2015
Hello,
On Sun, Oct 18, 2015 at 8:50 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> if a script contains a hashbang like
> #! /usr/bin/perl -w
> aa-autodep created a profile entry like
> "/usr/bin/perl -w" ix,
> which is obviously incorrect.
>
> This patch fixes this (by using only the first part of the hashbang line)
> and also adds some tests for it.
>
> References: https://bugs.launchpad.net/apparmor/+bug/1505775
>
>
> [ 95-fix-handling-interpreters-with-parameters.diff ]
>
> --- utils/apparmor/aa.py 2015-10-18 16:45:00.661993736 +0200
> +++ utils/apparmor/aa.py 2015-10-18 17:07:20.459211068 +0200
> @@ -416,8 +416,9 @@
> if not hashbang.startswith('#!'):
> return None, None
>
> - interpreter = hashbang[2:].strip()
> - interpreter_path = get_full_path(interpreter)
> + # get the interpreter (without parameters)
> + interpreter = hashbang[2:].strip().split()
>
I'd like to call it "interpreter_and_flags_and_parameters_stuff" but could
settle for "interpreter_and_flags".
Or we can make it:
interpreter_path = hashbang[2:].strip().split()[0]
Or
interpreter_and_flags = hashbang[2:].strip().split()
interpreter_path = interpreter_and_flags[0]
This way the name is accurate and we don't have to use interpreter variable
to represent two different things (the other one being below).
+ interpreter_path = get_full_path(interpreter[0])
> interpreter = re.sub('^(/usr)?/bin/', '', interpreter_path)
>
How about we inline it to: interpreter = re.sub('^(/usr)?/bin/', '',
get_full_path(interpreter_and_flags[0]))
> if interpreter in ['bash', 'dash', 'sh']:
> --- utils/test/test-aa.py 2015-10-18 16:45:00.663993620 +0200
> +++ utils/test/test-aa.py 2015-10-18 17:10:34.845932254 +0200
> @@ -105,7 +105,9 @@
> ('#!/bin/dash', ('/bin/dash',
> 'abstractions/bash')),
> ('#!/bin/sh', ('/bin/sh',
> 'abstractions/bash')),
> ('#! /bin/sh ', ('/bin/sh',
> 'abstractions/bash')),
> + ('#! /bin/sh -x ', ('/bin/sh',
> 'abstractions/bash')), # '-x' is not part of the interpreter path
> ('#!/usr/bin/perl', ('/usr/bin/perl',
> 'abstractions/perl')),
> + ('#!/usr/bin/perl -w', ('/usr/bin/perl',
> 'abstractions/perl')), # '-w' is not part of the interpreter path
> ('#!/usr/bin/python', ('/usr/bin/python',
> 'abstractions/python')),
> ('#!/usr/bin/python2', ('/usr/bin/python2',
> 'abstractions/python')),
> ('#!/usr/bin/python2.7', ('/usr/bin/python2.7',
> 'abstractions/python')),
>
> With suggestions considered/incorporated.
Thanks for the patch.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
>
> Regards,
>
> Christian Boltz
> --
> We voted and a big majority wanted it this way. So dont blame this on me.
> p.s. Although you can share-blame it on me. I was one of the peepz who
> voted for it ;) [Henne Vogelsang in opensuse-factory]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
Regards,
Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151019/10211444/attachment.html>
More information about the AppArmor
mailing list