On Wed, Jul 30, 2014 at 11:42:05PM +0200, Christian Boltz wrote: > I received three patches from Jeff to add support for the bare network, > capability and file keywords. > > I propose Jeff's patches for 2.8 and trunk/deprecated. > > > I'll paste all three patches into this mail, the patch headers contain > detailed descriptions what the patches do.
Thanks for passing these along. > +++++ perl-apparmor-fix-bare-network-keyword-handling.diff (new) > -- perl-apparmor-fix-bare-network-keyword-handling.diff > ++ perl-apparmor-fix-bare-network-keyword-handling.diff > @ -0,0 +1,34 @@ > From: Jeff Mahoney <[email protected]> > Subject: perl-apparmor: Fix bare 'network' keyword handling > References: bnc#889650 > > The 'network' bare keyword was being printed as "audit network all" due to > two different bugs: > > 1) {audit}{all} was always being set to 1, regardless of whether the audit > keyword was used > 2) {rule} eq 'all' is the wrong test - it should be {rule}{all} > > With these fixed, 'network' is properly handled. > > Signed-off-by: Jeff Mahoney <[email protected]> Acked-by: Steve Beattie <[email protected]> > --- a/utils/Immunix/AppArmor.pm > +++ b/utils/Immunix/AppArmor.pm > @@ -5353,7 +5368,7 @@ > > $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit; > } else { > > $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1; > - > $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1; > + > $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit; > } > } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) { > # just ignore and drop old style network > @@ -5708,7 +5729,7 @@ > # dump out the netdomain entries... > if (exists $profile_data->{$allow}{netdomain}) { > if ( $profile_data->{$allow}{netdomain}{rule} && > - $profile_data->{$allow}{netdomain}{rule} eq 'all') { > + $profile_data->{$allow}{netdomain}{rule}{all}) { > $audit = "audit " if > $profile_data->{$allow}{netdomain}{audit}{all}; > push @data, "${pre}${audit}network,"; > } else { > > +++++ perl-apparmor-handle-bare-capability-keyword.diff (new) > -- perl-apparmor-handle-bare-capability-keyword.diff > ++ perl-apparmor-handle-bare-capability-keyword.diff > @ -0,0 +1,43 @@ > From: Jeff Mahoney <[email protected]> > Subject: perl-apparmor: Handle bare 'capability' keyword > References: bnc#889651 > > Specifying 'capability' implies all capabilities, but the perl code didn't > recognize it. > > Signed-off-by: Jeff Mahoney <[email protected]> Acked-by: Steve Beattie <[email protected]> > --- a/utils/Immunix/AppArmor.pm > +++ b/utils/Immunix/AppArmor.pm > @@ -5151,7 +5151,7 @@ > > $initial_comment = ""; > > - } elsif > (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) { # > capability entry > + } elsif > (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) { # > capability entry > if (not $profile) { > die sprintf(gettext('%s contains syntax errors.'), $file) . > "\n"; > } > @@ -5159,7 +5159,7 @@ > my $audit = $1 ? 1 : 0; > my $allow = $2 ? 'deny' : 'allow'; > $allow = 'deny' if ($2); > - my $capability = $3; > + my $capability = $3 ? $3 : 'all'; > > $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1; > > $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = > $audit; > } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # > capability entry > @@ -5675,7 +5690,13 @@ > > my @data; > if (exists $profile_data->{$allow}{capability}) { > - for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { > + my $audit; > + if (exists $profile_data->{$allow}{capability}{all}) { > + $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? > 'audit ' : ''; > + push @data, "${pre}${audit}${allowstr}capability,"; > + } > + for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { > + next if ($cap eq "all"); > my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? > 'audit ' : ''; > if ($profile_data->{$allow}{capability}{$cap}{set}) { > push @data, "${pre}${audit}${allowstr}capability ${cap},"; > > +++++ perl-apparmor-properly-handle-bare-file-keyword.diff (new) > -- perl-apparmor-properly-handle-bare-file-keyword.diff > ++ perl-apparmor-properly-handle-bare-file-keyword.diff > @ -0,0 +1,73 @@ > From: Jeff Mahoney <[email protected]> > Subject: perl-apparmor: Properly handle bare 'file' keyword > References: bnc#889652 > > The bare file keyword is a shortcut for /{**,}. There are also implied > permissions that go with it. > > This patch accepts the file keyword as well as allowing for missing mode > specifiers. > > Signed-off-by: Jeff Mahoney <[email protected]> Acked-by: Steve Beattie <[email protected]> > --- > > utils/Immunix/AppArmor.pm | 27 ++++++++++++++++++++++++--- > 1 file changed, 24 insertions(+), 3 deletions(-) > > --- a/utils/Immunix/AppArmor.pm > +++ b/utils/Immunix/AppArmor.pm > @@ -5252,7 +5252,7 @@ > } elsif > (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # > conditional -- boolean > } elsif > (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) > { # conditional -- variable defined > } elsif > (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) > { # conditional -- boolean defined > - } elsif > (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) > { # path entry > + } elsif > (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) > { # path entry > if (not $profile) { > die sprintf(gettext('%s contains syntax errors.'), $file) . > "\n"; > } > @@ -5260,7 +5260,19 @@ > my $audit = $1 ? 1 : 0; > my $allow = $2 ? 'deny' : 'allow'; > my $user = $3 ? 1 : 0; > - my ($path, $mode, $nt_name) = ($4, $5, $7); > + my ($path, $mode, $nt_name) = ($5, $6, $8); > + my $file_keyword = 0; > + my $use_mode = 1; > + > + if ($4 eq "file") { > + $path = "/{**,}"; > + $file_keyword = 1; > + if (!$mode) { > + # what the parser uses, but we don't care > + $mode = "rwixlka"; > + $use_mode = 0; > + } > + } > > # strip off any trailing spaces. > $path =~ s/\s+$//; > @@ -5281,6 +5293,9 @@ > fatal_error(sprintf(gettext('Profile %s contains invalid > mode %s.'), $file, $mode)); > } > > + $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = > $use_mode; > + > $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if > $file_keyword; > + > my $tmpmode; > if ($user) { > $tmpmode = str_to_mode("${mode}::"); > @@ -5838,7 +5859,13 @@ > } > $tmpmode &= ~$tmpaudit; > } > - if ($tmpmode) { > + my $kw = $profile_data->{$allow}{path}{$path}{file_keyword}; > + my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode}; > + if ($kw) { > + my $modestr = ""; > + $modestr = " " . mode_to_str($tmpmode) if $use_mode; > + push @data, > "${pre}${allowstr}${ownerstr}file${modestr}${tail},"; > + } elsif ($tmpmode) { > my $modestr = mode_to_str($tmpmode); > if ($path =~ /\s/) { > push @data, "${pre}${allowstr}${ownerstr}\"$path\" > ${modestr}${tail},"; -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
