Hello,
now that the parser allows variables in change_profile rules,
the tools should also do that ;-)
[ 67-change-profile-allow-var.diff ]
=== modified file utils/apparmor/regex.py
--- utils/apparmor/regex.py 2015-07-05 16:49:54.682489394 +0200
+++ utils/apparmor/regex.py 2015-07-05 17:13:27.880086386 +0200
@@ -27,7 +27,9 @@
RE_COMMA_EOL = '\s*,' + RE_EOL # optional whitespace, comma + RE_EOL
RE_PROFILE_NAME = '(?P<%s>(\S+|"[^"]+"))' # string without spaces,
or quoted string. %s is the match group name
-RE_PROFILE_PATH = '(?P<%s>(/\S+|"/[^"]+"))' # filename (starting with
'/') without spaces, or quoted filename. %s is the match group name
+RE_PATH = '/\S+|"/[^"]+"' # filename (starting with '/')
without spaces, or quoted filename.
+RE_PROFILE_PATH = '(?P<%s>(' + RE_PATH + '))' # quoted or unquoted
filename. %s is the match group name
+RE_PROFILE_PATH_OR_VAR = '(?P<%s>(' + RE_PATH + '|@{\S+}\S*|"@{\S+}[^"]*"))'
# quoted or unquoted filename or variable. %s is the match group name
RE_PROFILE_END = re.compile('^\s*\}' + RE_EOL)
RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY +
'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
@@ -75,7 +77,7 @@
RE_PROFILE_CHANGE_PROFILE = re.compile(
RE_AUDIT_DENY +
'change_profile' +
- '(\s+' + RE_PROFILE_PATH % 'execcond' + ')?' + # optionally exec condition
+ '(\s+' + RE_PROFILE_PATH_OR_VAR % 'execcond' + ')?' + # optionally exec
condition
'(\s+->\s*' + RE_PROFILE_NAME % 'targetprofile' + ')?' + # optionally
'->' target profile
RE_COMMA_EOL)
Regards,
Christian Boltz
--
> # bluescreen: Bluescreen-Emulator für Terminals
Ich hab es eben in ner Konsole getestet und ich Idiot habe wirklich
Strg+Alt+Entf gedrückt! Warum postest Du solch gefährliche Scripte?
[> David Haller und Rüdiger Meier in suse-linux]
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
