mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix @{profile_name} variable to not be a fqname

Browse source 
The @{profile_name} is incorrectly expanded as a fully qualified path
including its namespace if one was specified in the profile declaration.

ie.
  profile :ns://a {
     ptrace @{profile_name},
     # expands to
     # ptrace :ns://a,
}

This is wrong however because within a profile if a rule refers
to a namespace it will be wrt a sub-namespace.  That is in the above
example the ptrace rule is refering to a profile in a subnamespace
"ns".

Or from the current profile declaration scope
 :ns//ns://a

Instead @{profile_name} should expand into the hname (hierarchical name),
which is the profile hierarchy specification within the namespace the
profile is part of.

In this case
    a

or for a child profile case
  profile :ns://a {
     profile b {
        ptrace @{profile_name},
  }
}

the hname expansion would be
  a//b

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
John Johansen 2015-07-10 18:11:28 -07:00
parent 835605a647
commit 2be46bbabc
2 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
parser/parser_variable.c
View file

@ -297,7 +297,7 @@ int process_profile_variables(Profile *prof)
error = process_variables_in_name(*prof); error = process_variables_in_name(*prof);
if (!error) if (!error)
error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(true).c_str()); error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(false).c_str());
if (!error) if (!error)
error = process_variables_in_entries(prof->entries); error = process_variables_in_entries(prof->entries);

24
parser/tst/equality.sh
View file

@ -464,6 +464,30 @@ verify_binary_equality "change_profile == change_profile -> **" \
"/t { change_profile /**, }" \ "/t { change_profile /**, }" \
"/t { change_profile /** -> **, }" "/t { change_profile /** -> **, }"
verify_binary_equality "profile name is hname in rule" \
":ns:/hname { signal peer=/hname, }" \
":ns:/hname { signal peer=@{profile_name}, }"
verify_binary_inequality "profile name is NOT fq name in rule" \
":ns:/hname { signal peer=:ns:/hname, }" \
":ns:/hname { signal peer=@{profile_name}, }"
verify_binary_equality "profile name is hname in sub pofile rule" \
":ns:/hname { profile child { signal peer=/hname//child, } }" \
":ns:/hname { profile child { signal peer=@{profile_name}, } }"
verify_binary_inequality "profile name is NOT fq name in sub profile rule" \
":ns:/hname { profile child { signal peer=:ns:/hname//child, } }" \
":ns:/hname { profile child { signal peer=@{profile_name}, } }"
verify_binary_equality "profile name is hname in hat rule" \
":ns:/hname { ^child { signal peer=/hname//child, } }" \
":ns:/hname { ^child { signal peer=@{profile_name}, } }"
verify_binary_inequality "profile name is NOT fq name in hat rule" \
":ns:/hname { ^child { signal peer=:ns:/hname//child, } }" \
":ns:/hname { ^child { signal peer=@{profile_name}, } }"
if [ $fails -ne 0 -o $errors -ne 0 ] if [ $fails -ne 0 -o $errors -ne 0 ]
then then
printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1 printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1