[apparmor] [patch] Fix parsing/storing bare file rules

Christian Boltz apparmor at cboltz.de
Tue Oct 27 22:45:11 UTC 2015


we replaced parse_audit_allow() with parse_modifiers() in r2833, but
overlooked that parse_modifiers() returns allow/deny as boolean. This
resulted in storing bare file rules in aa[profile][hat]['path'][False]
instead of aa[profile][hat]['path']['allow'] (or True instead of 'deny'
for 'deny file,' rules), with the user-visible result of loosing bare
file rules when saving the profile.

This patch converts the boolean value from parse_modifiers back to a

Note: 2.9 is not affected because the old parse_audit_allow() returns
'allow' or 'deny' as string, not as boolean.

BTW: I noticed this while playing with a more strict profile_storage()
that uses more dict()s instead of a big hasher() monster.

[ 18-fix-bare-file-rule.diff ]

=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-10-23 19:53:08.919616025 +0200
+++ utils/apparmor/aa.py        2015-10-27 23:27:14.835966475 +0100
@@ -2799,8 +2810,12 @@
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected bare file rule found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
-            audit, allow, allow_keyword, comment = parse_modifiers(matches)
+            audit, deny, allow_keyword, comment = parse_modifiers(matches)
             # TODO: honor allow_keyword and comment
+            if deny:
+                allow = 'deny'
+            else:
+                allow = 'allow'
             mode = apparmor.aamode.AA_BARE_FILE_MODE
             if not matches.group('owner'):


Christian Boltz
Natürlich kann man Bäume mit der Nagelschere fällen, und es ist
bedeutend sicherer, als, sagenwirmal, eine Kettensäge. Trotzdem
ist eine Säge das korrekte Werkzeug.      [Ratti in suse-linux]

More information about the AppArmor mailing list