[apparmor] [PATCH 4/5] Add support for dconf confinement
Christian Boltz
apparmor at cboltz.de
Thu Jan 26 23:03:53 UTC 2017
Hello,
finally some time to review the remaining dconf patches ;-)
Am Freitag, 16. Dezember 2016, 10:00:35 CET schrieb John Johansen:
> diff --git a/libraries/libapparmor/src/libapparmor.map
> b/libraries/libapparmor/src/libapparmor.map index 3ce786f..4598e15
> 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -100,6 +100,10 @@ APPARMOR_2.12 {
> aa_query_cmd;
> aa_clear_label_data;
> aa_query_label_data;
> + aa_clear_dconf_info;
> + aa_query_dconf_info;
> + aa_query_dconf;
> + aa_query_dconf_len;
> local:
> *;
> } APPARMOR_2.11;
I'd guess the dconf functions should go into APPARMOR_2.12.
> diff --git a/parser/dconf.cc b/parser/dconf.cc
> new file mode 100644
> index 0000000..669bf80
> +std::ostream &dconf_rule::dump(std::ostream &os)
> +{
> + if (audit)
> + os << "audit ";
> +
> + os << "dconf (";
> +
> + switch (mode & AA_DCONF_READWRITE) {
> + case AA_DCONF_READ:
> + os << "read";
> + break;
> + case AA_DCONF_WRITE:
> + os << " write";
> + break;
> + }
> + os << ") " << path << ",\n";
> +
> + return os;
> +}
It seems this function will return the rule as plain text, but we
already have that in the profile.
So - what's the purpose / usecase of this function?
> diff --git a/parser/tst/simple_tests/dconf/bad_path_04.sd
> b/parser/tst/simple_tests/dconf/bad_path_04.sd new file mode 100644
> index 0000000..a870c12
> --- /dev/null
> +++ b/parser/tst/simple_tests/dconf/bad_path_04.sd
> @@ -0,0 +1,8 @@
> +#
> +#=DESCRIPTION dconf rule with space
> +#=EXRESULT FAIL
> +#
> +
> +profile bad_path {
> + dconf /a /b r,
> +}
Can you add another test with the space quoted?
dconf "/a /b" r,
I don't know if dconf paths allow spaces (and therefore don't know the
expected result), but adding quotes around such a path is the first thing
I'd try ;-)
> diff --git a/parser/tst/simple_tests/dconf/ok_audit_01.sd
> b/parser/tst/simple_tests/dconf/ok_audit_01.sd new file mode 100644
> index 0000000..d2e63f2
> --- /dev/null
> +++ b/parser/tst/simple_tests/dconf/ok_audit_01.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION dconf rule with audit
> +#=EXRESULT PASS
> +#
> +
> +profile ok_audit {
> + audit dconf /a/b/c r,
> + audit dconf /d/e/f rw,
> +}
By adding the ok_* tests, you'll break the utils tests.
To avoid this, you'll _at least_ need to add minimal support for dconf
rules (saving the full "dconf .*" line and writing it back to the
profile).
Of course, I won't object if someone volunteers to write the DconfRule
class with full support ;-) [1]
Regards,
Christian Boltz
[1] You can probably steal quite some code from existing classes, so I'd
guess it's doable in two days.
--
"Die meisten Menschen pflegen im Kindesalter vom Zeigen auf Gegenstände
(Mausbewegung) und 'ga' sagen (Mausklick) abzukommen, zugunsten eines
mächtigeren und langwierig zu erlernenden Tools (Sprache)".
[Achim Linder in de.comp.os.unix.linux.misc]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170127/f46a7d64/attachment.pgp>
More information about the AppArmor
mailing list