[apparmor] [PATCH 4/4] dconf patch

William Hua william.hua at canonical.com
Thu Jan 14 19:20:22 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks Christian,

I made a minor change in addition to fix the aa_query_dconf function (just to
account for the size of the buffer with the added AA_CLASS_DCONF byte). Also
re-attaching the kernel patch for convenience.



> Some notes about 0004-Add-support-for-dconf-confinement.patch:
> 
>> --- a/parser/parser_lex.l
>> +++ b/parser/parser_lex.l
> 
>> +<DCONF_MODE>{
>> +       r(ead)?                                 { RETURN_TOKEN(TOK_READ); }
>> +       w(rite)?                                { RETURN_TOKEN(TOK_WRITE); }
>> +       (rw|wr)                                 { RETURN_TOKEN(TOK_READWRITE); }
>> +       ({PATHNAME}|{QPATHNAME})        {
> 
> That's much better than the loooong list of possible keywords in the 
> last round. I still wonder if we really need "read" and "write" or if 
> "r" and "w" would be enough ;-)
> 
> (Yes, I know we allow "read" and "write" at other places, but we don't
> need to repeat that error ;-)

Sure, removed to only allow r and rw perms



>> --- a/parser/parser_yacc.y
>> +++ b/parser/parser_yacc.y
> 
>> +dconf_perm: TOK_READ { $$ = AA_DCONF_READ; }
>> +       | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable implies readable */ }
>> +       | TOK_READWRITE { $$ = AA_DCONF_READWRITE; }
> 
> I still don't like the idea to implicitely grant read permissions if 
> something has write permissions.
> 
> This needs *at least* a very clear note in the documentation (BTW: did
> I overlook the apparmor.d.pod patch?). The more strict and IMHO better
> way would be to error out if only write is allowed in a profile.

Sure, removed the TOK_WRITE perm



> Also, can you please add a parser/tst/simple_tests/dconf/ directory 
> with some example profiles (some with valid, some with invalid syntax)?

Sure, added just a few examples since the syntax is pretty simple
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWl/RVAAoJEBUjayXdEP6B3OsP/35mKq7HJPu483U8H2nHKOVa
69ueRfQgh8gu7BB8SXFh97M8EIcLYihE3E8NurfBfm580vtZl+NSVJuhnSeAPBS3
aO2OD8GIC+UibpcoTuM1/ErwgmQT+p6nKxpdgDgbUuBJEj4ET0XVjF0DquwW93u5
o4H1oX6lb8k4wrszHivCOBvpf/g5+3wy1Y1DogwPBvREKx5MFVIJCS/IvNhoZ0qj
hPYp0snG5a5bF+3npQC/pMjAzTUjuTNSf77P/D1TBMgjUPeBoVRa7B8QnYlGZ+2z
vA1iVuqn3yMnnY+ZVBBazcvSvsUgD3pwYfkah+qe5c4V3spjuTUw0D5sLea/agMd
cTTvrO81DHiAx8pGSbilOJT4dRmKA14KDJojcBToLfWcsTTnMrCWW1nmbn1Zxfx1
wQa33vrMidmmFlDJZY4LAGfrSX495p5fa44H7Knd6Ab8JVHTHLHbqsLQRQSHDpsP
fCYB17WkCNqYO/CdWppbBtK4+KlZE28M7XV6t28s/BzD47svN0LoUexZo1q7MdBJ
oFQNX0n1WmtYOfiGvQwYoL5RsU8ZaJiQ+NI8Vqzx7cSHa4UzROx59IqWcttrWZ+r
31NGg1ho3tDWN6BvSGb+G9kYuDtxN6zEiOs4lJYvtx2kKWQclpq9jBt9epBW3X7h
YJR/qdal1yzIV0eq0pxK
=Ex+2
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0005.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apparmor-add-data-query-support.patch
Type: text/x-patch
Size: 10748 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Split-aa_query_label-into-a-base-aa_query_cmd-and-it.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0006.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Split-aa_query_label-into-a-base-aa_query_cmd-and-it.patch
Type: text/x-patch
Size: 8523 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-base-function-to-query-generic-label-data-under-.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0007.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-base-function-to-query-generic-label-data-under-.patch
Type: text/x-patch
Size: 7808 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Make-some-parameters-of-parser-interface-constant.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0008.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Make-some-parameters-of-parser-interface-constant.patch
Type: text/x-patch
Size: 1610 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-support-for-dconf-confinement.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0009.pgp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Add-support-for-dconf-confinement.patch
Type: text/x-patch
Size: 39653 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160114/803dfad0/attachment-0009.bin>

More information about the AppArmor mailing list