[apparmor] [patch] [06/38] Add FileRule and FileRuleset

Christian Boltz apparmor at cboltz.de
Thu Sep 29 19:08:36 UTC 2016


Hello,

Am Freitag, 12. August 2016, 22:47:07 CEST schrieb Christian Boltz:
> +def split_perms(perm_string, deny):
> +    '''parse permission string
> +       - perm_string: the permission string to parse
> +       - deny: True if this is a deny rule
> +   '''
> +    perms = set()
> +    exec_mode = None
> +
> +    while perm_string:
> +        if perm_string[0] in file_permissions:
> +            perms.add(perm_string[0])
> +            perm_string = perm_string[1:]
> +        elif perm_string[0] == 'x':
> +            if not deny:
> +                raise AppArmorException(_("'x' must be preceded by an exec qualifier (i, P, C or U)")) 
> +            exec_mode = 'x'
> +            perm_string = perm_string[1:]
> +        elif perm_string.startswith(allow_exec_transitions):
> +            if exec_mode:
> +                raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:2]))) 
> +            exec_mode = perm_string[0:2]
> +            perm_string = perm_string[2:]
> +        elif perm_string.startswith(allow_exec_fallback_transitions) and not deny:

I'd like to change this to

+        elif perm_string.startswith(allow_exec_fallback_transitions):

(= drop the "and not deny" part) for two reasons:
- to get it in sync with the allow_exec_transtions check
- to get a better error message - with the "and not deny" in place, a 
  "deny /foo pix," rule will result in hitting the else branch ("unknown
  character"). Without the "and not deny" check, __init__ will do the 
  error checking and come up with a more helpful error message.


Opinions? Acks? Objections? ;-)

> +            if exec_mode:
> +                raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:3])))
> +            exec_mode = perm_string[0:3]
> +            perm_string = perm_string[3:]
> +        else:
> +            raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string)) 
> +
> +    return perms, exec_mode



Regards,

Christian Boltz
-- 
Wenn es mit sysvinit funktioniert, dann lässt systemd mal wieder
die Hosen runter. Das passiert ihm leider öfter. Ich find das ja
unanständig. ;)  [Lars Müller in opensuse-de]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160929/2d796ebf/attachment.pgp>


More information about the AppArmor mailing list