Merge parser: Fix MR625 to emit proc attr access for all situations

MR625 fixed hats not emitting the rule to access the proc interface needed for change_hat, but it broke the rule being emitted for the parent (which used to work). The proc attr access rule should be emitted for any profile that is a hat OR any profile that contains hats. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626 Acked-by: Steve Beattie <steve.beattie@canonical.com>
2025-03-04 08:24:42 +01:00 · 2020-09-18 10:30:30 +00:00 · 2020-09-18 10:30:30 +00:00 · 1a7d9d9da0
commit 1a7d9d9da0
parent c05905fff1 d1be977667
3 changed files with 19 additions and 3 deletions
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@ -205,7 +205,7 @@ static int profile_add_hat_rules(Profile *prof)
 	struct cod_entry *entry;

 	/* don't add hat rules if not hat or profile doesn't have hats */
-	if (!prof->flags.hat || !prof->hat_table.empty())
+	if (!prof->flags.hat && prof->hat_table.empty())
 		return 0;

 	/* add entry to hat */
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -545,7 +545,23 @@ verify_binary_equality "set rlimit memlock <= 2GB" \
                       "/t { set rlimit memlock <= 2GB, }" \
                       "/t { set rlimit memlock <= $((2 * 1024)) MB, }" \
                       "/t { set rlimit memlock <= $((2 * 1024 * 1024)) KB, }" \
-                       "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }" \
+                       "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }"
+
+# Unfortunately we can not just compare an empty profile and hat to a
+# ie. "/t { ^test { /f r, }}"
+# to the second profile with the equivalent rule inserted manually
+# because policy write permission "w" actually expands to mutiple permissions
+# under the hood, and the parser is not adding those permissions
+# to the rules it auto generates
+# So we insert the rule with "append" permissions, and rely on the parser
+# merging permissions of rules.
+# If the parser isn't adding the rules "append" is not equivalent to
+# the "write" permission in the second profile and the test will fail.
+# If the parser is adding the change_hat proc attr rules then the
+# rules should merge and be equivalent.
+verify_binary_equality "change_hat rules automatically inserted"\
+		       "/t { owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \
+		       "/t { owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}"

 if [ $fails -ne 0 ] || [ $errors -ne 0 ]
 then
--- a/profiles/apparmor.d/abstractions/apparmor_api/change_profile
+++ b/profiles/apparmor.d/abstractions/apparmor_api/change_profile
@ -10,4 +10,4 @@ abi <abi/3.0>,

 include <abstractions/apparmor_api/introspect>

-@{PROC}/@{tid}/attr/{current,exec} w,
+@{PROC}/@{tid}/attr/{apparmor/,}{current,exec} w,