[apparmor] [PATCH] utils: Don't enforce ordering of dbus rule attributes
Christian Boltz
apparmor at cboltz.de
Sun Feb 12 19:30:22 UTC 2017
Hello,
Am Mittwoch, 8. Februar 2017, 23:56:27 CET schrieb Tyler Hicks:
> https://launchpad.net/bugs/1628286
>
> The utils were enforcing that the dbus rule attributes were strictly
> ordered in the following fashion:
>
> bus -> path -> interface -> member -> peer
>
> However, the parser has always accepted the attributes in any order.
> If the system contained a profile which did not use the strict
> ordering enforced by the utils, the utils would refuse to operate at
> all.
>
> This patch eases the restriction on the ordering at the expense of the
> utils no longer being able to detect and reject a single attribute
> that is repeated multiple times. In that situation, only the last
> occurrence of the attribute will be honored by the utils.
Also note that writing (in "clean" mode) a dbus rule back to a profile
will only include the last match. This has the advantage of accidently
fixing the profile, and the disadvantage of altering the profile without
any notice.
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Cc: Christian Boltz <apparmor at cboltz.de>
> ---
> utils/apparmor/rule/dbus.py | 12 ++++++------
> utils/test/test-dbus.py | 6 ++++++
> utils/test/test-parser-simple-tests.py | 8 +++-----
> 3 files changed, 15 insertions(+), 11 deletions(-)
>
> diff --git a/utils/apparmor/rule/dbus.py b/utils/apparmor/rule/dbus.py
> index 60f1ecf..58dc7b5 100644
> --- a/utils/apparmor/rule/dbus.py
> +++ b/utils/apparmor/rule/dbus.py
> @@ -40,11 +40,11 @@ RE_FLAG =
> '(?P<%s>(\S+|"[^"]+"|\(\s*\S+\s*\)|\(\s*"[^"]+"\)\s*))' # s
> RE_DBUS_DETAILS = re.compile(
It's probably a good idea to add something like
# XXX this regex will allow repeated parameters, last one wins
# XXX (the parser will reject such rules)
> diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py
> index 5b676bc..f1bcb25 100644
> --- a/utils/test/test-dbus.py
> +++ b/utils/test/test-dbus.py
> @@ -89,6 +89,10 @@ class DbusTestParse(DbusTest):
> + ('dbus bus=system path=/foo/bar bus=session,'
Please add
# XXX bus= specified twice, last one wins
to make clear this test is about suboptimal behaviour
> + ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6,'
This deserves the same comment ;-) (well, s/twice/multipe times/)
With these comments added,
Acked-by: Christian Boltz <apparmor at cboltz.de>
As I already stated in the bugreport, having a parse_dbus_rule() in
libapparmor would be even better ;-)
Regards,
Christian Boltz
--
Windows hatte für mich auch etwas gutes ...
... Microsoft schaffte es zumindest mein Interesse an Linux
zu wecken ;-) [Michael Meyer in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170212/77b9eb9d/attachment.pgp>
More information about the AppArmor
mailing list