Write unix rules when saving a profile

r2637 added support for parsing unix rules, but forgot to add write support. The result was that a profile lost its unix rules when it was saved. This patch adds the write_unix_rules() and write_unix() functions (based on the write_pivot_root() and write_pivot_root_rules() functions) and makes sure they get called at the right place. The cleanprof testcase gets an unix rule added to ensure it's not deleted when writing the profile. (Note that minitools_test.py is not part of the default "make check", however I always run it.) References: https://bugs.launchpad.net/apparmor/+bug/1522938 https://bugzilla.opensuse.org/show_bug.cgi?id=954104 Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
2025-03-04 16:35:02 +01:00 · 2015-12-17 23:51:29 +01:00 · 2015-12-17 23:51:29 +01:00 · 40e24e9b29
commit 40e24e9b29
parent 28a64d280c
3 changed files with 26 additions and 1 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -3549,6 +3549,24 @@ def write_pivot_root(prof_data, depth):
    data += write_pivot_root_rules(prof_data, depth, 'allow')
    return data

+def write_unix_rules(prof_data, depth, allow):
+    pre = '  ' * depth
+    data = []
+
+    # no unix rules, so return
+    if not prof_data[allow].get('unix', False):
+        return data
+
+    for unix_rule in prof_data[allow]['unix']:
+        data.append('%s%s' % (pre, unix_rule.serialize()))
+    data.append('')
+    return data
+
+def write_unix(prof_data, depth):
+    data = write_unix_rules(prof_data, depth, 'deny')
+    data += write_unix_rules(prof_data, depth, 'allow')
+    return data
+
 def write_link_rules(prof_data, depth, allow):
    pre = '  ' * depth
    data = []
@ -3660,6 +3678,7 @@ def write_rules(prof_data, depth):
    data += write_signal(prof_data, depth)
    data += write_ptrace(prof_data, depth)
    data += write_pivot_root(prof_data, depth)
+    data += write_unix(prof_data, depth)
    data += write_links(prof_data, depth)
    data += write_paths(prof_data, depth)
    data += write_change_profile(prof_data, depth)
@ -3820,6 +3839,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                         'signal': write_signal,
                         'ptrace': write_ptrace,
                         'pivot_root': write_pivot_root,
+                         'unix': write_unix,
                         'link': write_links,
                         'path': write_paths,
                         'change_profile': write_change_profile,
@ -3835,6 +3855,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                                'signal',
                                'ptrace',
                                'pivot_root',
+                                'unix',
                                'link',
                                'path',
                                'change_profile',
@ -3851,6 +3872,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                    'signal': True, # not handled otherwise yet
                    'ptrace': True, # not handled otherwise yet
                    'pivot_root': True, # not handled otherwise yet
+                    'unix': True, # not handled otherwise yet
                    'link': False,
                    'path': False,
                    'change_profile': False,
--- a/utils/test/cleanprof_test.in
+++ b/utils/test/cleanprof_test.in
@ -7,6 +7,7 @@
 	#Below rule comes from abstractions/base
 	allow /usr/share/X11/locale/**  r,
 	allow /home/*/** r,
+	unix (receive) type=dgram,
 	allow /home/foo/bar r,
 	allow /home/foo/** w,
 }
@ -16,4 +17,4 @@
 	# However this comment will be wiped, need to change that
 	allow /home/*/** rw,
 	allow /home/foo/bar r,
-}
+}
--- a/utils/test/cleanprof_test.out
+++ b/utils/test/cleanprof_test.out
@ -6,6 +6,8 @@
 /usr/bin/a/simple/cleanprof/test/profile {
  #include <abstractions/base>

+  unix (receive) type=dgram,
+
  /home/*/** r,
  /home/foo/** w,