[apparmor] [patch] [11/38] FileRule: Handle duplicated exec permissions

Christian Boltz apparmor at cboltz.de
Fri Aug 12 20:50:07 UTC 2016 

Hello,

the parser accepts duplicated execute permissions as long as they don't
conflict. For example,
	/bin/foo pxpxpxpx,
is a valid rule.

This patch changes FileRule to also accept those duplicated permissions,
even if it's unlikely to hit them outside of the parser tests ;-)

Also add some tests to make sure the parsing works as expected.


[ 11-FileRule-handle-duplicated-exec-permissions.diff ]

== modified file ./utils/apparmor/rule/file.py
--- utils/apparmor/rule/file.py	2016-02-01 21:31:56.427302903 +0100
+++ utils/apparmor/rule/file.py	2016-02-03 22:05:58.949867394 +0100
@@ -339,12 +398,12 @@
             exec_mode = 'x'
             perm_string = perm_string[1:]
         elif perm_string.startswith(allow_exec_transitions):
-            if exec_mode:
+            if exec_mode and exec_mode != perm_string[0:2]:
                 raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:2])))
             exec_mode = perm_string[0:2]
             perm_string = perm_string[2:]
         elif perm_string.startswith(allow_exec_fallback_transitions) and not deny:
-            if exec_mode:
+            if exec_mode and exec_mode != perm_string[0:3]:
                 raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:3])))
             exec_mode = perm_string[0:3]
             perm_string = perm_string[3:]

--- utils/test/test-file.py	2016-02-01 21:31:56.431302879 +0100
+++ utils/test/test-file.py	2016-02-04 21:48:22.257941682 +0100
@@ -87,6 +87,10 @@
         ('audit deny r /tmp/foo,'               , exp(True,  False, True,  '',        '/tmp/foo',       False,      {'r'},          False,  None,       None,       True,   False,  False,          True        )),
         ('allow ra /tmp/foo,'                   , exp(False, True,  False, '',        '/tmp/foo',       False,      {'r', 'a'},     False,  None,       None,       True,   False,  False,          True        )),
         ('audit allow ra /tmp/foo,'             , exp(True,  True,  False, '',        '/tmp/foo',       False,      {'r', 'a'},     False,  None,       None,       True,   False,  False,          True        )),
+
+        # duplicated (but not conflicting) permissions
+        ('/foo PxPxPxPxrwPx -> bar,'            , exp(False, False, False, '',        '/foo',           False,      {'r', 'w'},     False,  'Px',       'bar',      False,  False,  False,          False       )),
+        ('/foo CixCixrwCix -> bar, '            , exp(False, False, False, '',        '/foo',           False,      {'r', 'w'},     False,  'Cix',      'bar',      False,  False,  False,          False       )),
     ]
 
     def _run_test(self, rawrule, expected):



Regards,

Christian Boltz
-- 
F: Word? Was ist das?
A: Das ist wohl das Programm, das ursrpünglich einmal Text heißen
   sollte. Da es aber für längere Dokumente ungeeignet ist, wurde es
   umbenannt. Inzwischen kann es aber bereits 97 Wörter verwalten.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/012977d0/attachment.pgp>

More information about the AppArmor mailing list