[apparmor] [PATCH] utils: Don't enforce ordering of dbus rule attributes
Tyler Hicks
tyhicks at canonical.com
Wed Feb 15 18:12:03 UTC 2017
On 02/12/2017 01:30 PM, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 8. Februar 2017, 23:56:27 CET schrieb Tyler Hicks:
>> https://launchpad.net/bugs/1628286
>>
>> The utils were enforcing that the dbus rule attributes were strictly
>> ordered in the following fashion:
>>
>> bus -> path -> interface -> member -> peer
>>
>> However, the parser has always accepted the attributes in any order.
>> If the system contained a profile which did not use the strict
>> ordering enforced by the utils, the utils would refuse to operate at
>> all.
>>
>> This patch eases the restriction on the ordering at the expense of the
>> utils no longer being able to detect and reject a single attribute
>> that is repeated multiple times. In that situation, only the last
>> occurrence of the attribute will be honored by the utils.
>
> Also note that writing (in "clean" mode) a dbus rule back to a profile
> will only include the last match. This has the advantage of accidently
> fixing the profile, and the disadvantage of altering the profile without
> any notice.
>
>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>> Cc: Christian Boltz <apparmor at cboltz.de>
>> ---
>> utils/apparmor/rule/dbus.py | 12 ++++++------
>> utils/test/test-dbus.py | 6 ++++++
>> utils/test/test-parser-simple-tests.py | 8 +++-----
>> 3 files changed, 15 insertions(+), 11 deletions(-)
>>
>> diff --git a/utils/apparmor/rule/dbus.py b/utils/apparmor/rule/dbus.py
>> index 60f1ecf..58dc7b5 100644
>> --- a/utils/apparmor/rule/dbus.py
>> +++ b/utils/apparmor/rule/dbus.py
>> @@ -40,11 +40,11 @@ RE_FLAG =
>> '(?P<%s>(\S+|"[^"]+"|\(\s*\S+\s*\)|\(\s*"[^"]+"\)\s*))' # s
>> RE_DBUS_DETAILS = re.compile(
>
> It's probably a good idea to add something like
> # XXX this regex will allow repeated parameters, last one wins
> # XXX (the parser will reject such rules)
>
>
>> diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py
>> index 5b676bc..f1bcb25 100644
>> --- a/utils/test/test-dbus.py
>> +++ b/utils/test/test-dbus.py
>> @@ -89,6 +89,10 @@ class DbusTestParse(DbusTest):
>
>> + ('dbus bus=system path=/foo/bar bus=session,'
>
> Please add
> # XXX bus= specified twice, last one wins
> to make clear this test is about suboptimal behaviour
>
>> + ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6,'
>
> This deserves the same comment ;-) (well, s/twice/multipe times/)
>
>
> With these comments added,
> Acked-by: Christian Boltz <apparmor at cboltz.de>
Thanks for the reviews! I've made the changes that you requested here.
>
>
> As I already stated in the bugreport, having a parse_dbus_rule() in
> libapparmor would be even better ;-)
Agreed. I hope we can get to that point someday.
Tyler
>
>
> Regards,
>
> Christian Boltz
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170215/3041e93a/attachment.pgp>
More information about the AppArmor
mailing list