[apparmor] [patch] [06/38] Add FileRule and FileRuleset
Christian Boltz
apparmor at cboltz.de
Thu Sep 29 19:08:36 UTC 2016
Hello,
Am Freitag, 12. August 2016, 22:47:07 CEST schrieb Christian Boltz:
> +def split_perms(perm_string, deny):
> + '''parse permission string
> + - perm_string: the permission string to parse
> + - deny: True if this is a deny rule
> + '''
> + perms = set()
> + exec_mode = None
> +
> + while perm_string:
> + if perm_string[0] in file_permissions:
> + perms.add(perm_string[0])
> + perm_string = perm_string[1:]
> + elif perm_string[0] == 'x':
> + if not deny:
> + raise AppArmorException(_("'x' must be preceded by an exec qualifier (i, P, C or U)"))
> + exec_mode = 'x'
> + perm_string = perm_string[1:]
> + elif perm_string.startswith(allow_exec_transitions):
> + if exec_mode:
> + raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:2])))
> + exec_mode = perm_string[0:2]
> + perm_string = perm_string[2:]
> + elif perm_string.startswith(allow_exec_fallback_transitions) and not deny:
I'd like to change this to
+ elif perm_string.startswith(allow_exec_fallback_transitions):
(= drop the "and not deny" part) for two reasons:
- to get it in sync with the allow_exec_transtions check
- to get a better error message - with the "and not deny" in place, a
"deny /foo pix," rule will result in hitting the else branch ("unknown
character"). Without the "and not deny" check, __init__ will do the
error checking and come up with a more helpful error message.
Opinions? Acks? Objections? ;-)
> + if exec_mode:
> + raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:3])))
> + exec_mode = perm_string[0:3]
> + perm_string = perm_string[3:]
> + else:
> + raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string))
> +
> + return perms, exec_mode
Regards,
Christian Boltz
--
Wenn es mit sysvinit funktioniert, dann lässt systemd mal wieder
die Hosen runter. Das passiert ihm leider öfter. Ich find das ja
unanständig. ;) [Lars Müller in opensuse-de]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160929/2d796ebf/attachment.pgp>
More information about the AppArmor
mailing list