[apparmor] [patch] [11/38] FileRule: Handle duplicated exec permissions

Fri, 12 Aug 2016 13:50:38 -0700 

Hello,

the parser accepts duplicated execute permissions as long as they don't
conflict. For example,
        /bin/foo pxpxpxpx,
is a valid rule.

This patch changes FileRule to also accept those duplicated permissions,
even if it's unlikely to hit them outside of the parser tests ;-)

Also add some tests to make sure the parsing works as expected.


[ 11-FileRule-handle-duplicated-exec-permissions.diff ]

== modified file ./utils/apparmor/rule/file.py
--- utils/apparmor/rule/file.py 2016-02-01 21:31:56.427302903 +0100
+++ utils/apparmor/rule/file.py 2016-02-03 22:05:58.949867394 +0100
@@ -339,12 +398,12 @@
             exec_mode = 'x'
             perm_string = perm_string[1:]
         elif perm_string.startswith(allow_exec_transitions):
-            if exec_mode:
+            if exec_mode and exec_mode != perm_string[0:2]:
                 raise AppArmorException(_('conflicting execute permissions 
found: %s and %s' % (exec_mode, perm_string[0:2])))
             exec_mode = perm_string[0:2]
             perm_string = perm_string[2:]
         elif perm_string.startswith(allow_exec_fallback_transitions) and not 
deny:
-            if exec_mode:
+            if exec_mode and exec_mode != perm_string[0:3]:
                 raise AppArmorException(_('conflicting execute permissions 
found: %s and %s' % (exec_mode, perm_string[0:3])))
             exec_mode = perm_string[0:3]
             perm_string = perm_string[3:]

--- utils/test/test-file.py     2016-02-01 21:31:56.431302879 +0100
+++ utils/test/test-file.py     2016-02-04 21:48:22.257941682 +0100
@@ -87,6 +87,10 @@
         ('audit deny r /tmp/foo,'               , exp(True,  False, True,  '', 
       '/tmp/foo',       False,      {'r'},          False,  None,       None,  
     True,   False,  False,          True        )),
         ('allow ra /tmp/foo,'                   , exp(False, True,  False, '', 
       '/tmp/foo',       False,      {'r', 'a'},     False,  None,       None,  
     True,   False,  False,          True        )),
         ('audit allow ra /tmp/foo,'             , exp(True,  True,  False, '', 
       '/tmp/foo',       False,      {'r', 'a'},     False,  None,       None,  
     True,   False,  False,          True        )),
+
+        # duplicated (but not conflicting) permissions
+        ('/foo PxPxPxPxrwPx -> bar,'            , exp(False, False, False, '', 
       '/foo',           False,      {'r', 'w'},     False,  'Px',       'bar', 
     False,  False,  False,          False       )),
+        ('/foo CixCixrwCix -> bar, '            , exp(False, False, False, '', 
       '/foo',           False,      {'r', 'w'},     False,  'Cix',      'bar', 
     False,  False,  False,          False       )),
     ]
 
     def _run_test(self, rawrule, expected):



Regards,

Christian Boltz
-- 
F: Word? Was ist das?
A: Das ist wohl das Programm, das ursrpünglich einmal Text heißen
   sollte. Da es aber für längere Dokumente ungeeignet ist, wurde es
   umbenannt. Inzwischen kann es aber bereits 97 Wörter verwalten.

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to