From f0876ea92a6482342675939398d4559947ec2cbd Mon Sep 17 00:00:00 2001 From: Emerson Bernier Date: Fri, 30 Mar 2018 17:46:25 +0200 Subject: [PATCH 1/2] Add .pacsave/.pacnew to apparmor parser ignored list Currently there is a list of file extensions which apparmor parser should ignore which contains rpm and dpkg backup files. The list could be extended with extensions used by pacman package manager (Archlinux/Manjaro/Antergos): .pacsave .pacnew https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave References: https://gitlab.com/apparmor/apparmor/issues/3 --- libraries/libapparmor/src/private.c | 3 +++ parser/apparmor_parser.pod | 6 +++--- parser/rc.apparmor.functions | 6 ++++-- utils/apparmor/aa.py | 2 +- utils/test/test-aa.py | 22 +++++++++++++--------- 5 files changed, 24 insertions(+), 15 deletions(-) diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c index 9378e2243..91c3f9c30 100644 --- a/libraries/libapparmor/src/private.c +++ b/libraries/libapparmor/src/private.c @@ -56,6 +56,9 @@ static struct ignored_suffix_t ignored_suffixes[] = { { ".dpkg-old", 9, 1 }, { ".dpkg-dist", 10, 1 }, { ".dpkg-bak", 9, 1 }, + /* Archlinux packaging files */ + { ".pacsave", 8, 1 }, + { ".pacnew", 7 1 }, /* RPM packaging files have traditionally not been silently ignored */ { ".rpmnew", 7, 0 }, diff --git a/parser/apparmor_parser.pod b/parser/apparmor_parser.pod index c99715413..a4c878bd3 100644 --- a/parser/apparmor_parser.pod +++ b/parser/apparmor_parser.pod @@ -46,9 +46,9 @@ program. The B may be specified by file name or a directory name containing a set of profiles. If a directory is specified then the B will try to do a profile load for each file in the directory that is not a dot file, or explicitly black listed (*.dpkg-new, -*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.rpmnew, *.rpmsave, *orig, *.rej, -*~). The B will fall back to taking input from standard -input if a profile or directory is not supplied. +*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.pacsave, *.pacnew, *.rpmnew, *.rpmsave, +*orig, *.rej, *~). The B will fall back to taking input from +standard input if a profile or directory is not supplied. The input supplied to B should be in the format described in apparmor.d(5). diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions index d8907ec1f..9aae47fbb 100644 --- a/parser/rc.apparmor.functions +++ b/parser/rc.apparmor.functions @@ -117,11 +117,13 @@ skip_profile() { "${profile%\~}" != "${profile}" ] ; then return 1 fi - # Silently ignore the dpkg files + # Silently ignore the dpkg and pacman files if [ "${profile%.dpkg-new}" != "${profile}" -o \ "${profile%.dpkg-old}" != "${profile}" -o \ "${profile%.dpkg-dist}" != "${profile}" -o \ - "${profile%.dpkg-bak}" != "${profile}" ] ; then + "${profile%.dpkg-bak}" != "${profile}" -o \ + "${profile%.pacsave}" != "${profile}" -o \ + "${profile%.pacnew}" != "${profile}" ] ; then return 2 fi diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 0377199c1..24f8f2f56 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -2031,7 +2031,7 @@ def is_skippable_file(path): if not basename or basename[0] == '.' or basename == 'README': return True - skippable_suffix = ('.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.rpmnew', '.rpmsave', '.orig', '.rej', '~') + skippable_suffix = ('.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.pacsave', '.pacnew', '.rpmnew', '.rpmsave', '.orig', '.rej', '~') if basename.endswith(skippable_suffix): return True diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py index 9cf3bbc40..a4b485391 100644 --- a/utils/test/test-aa.py +++ b/utils/test/test-aa.py @@ -452,22 +452,26 @@ class AaTest_is_skippable_file(AATest): def test_skippable_04(self): self.assertTrue(is_skippable_file('bin.ping..dpkg-bak')) def test_skippable_05(self): - self.assertTrue(is_skippable_file('bin.ping.rpmnew')) + self.assertTrue(is_skippable_file('bin.ping.pacsave')) def test_skippable_06(self): - self.assertTrue(is_skippable_file('bin.ping.rpmsave')) + self.assertTrue(is_skippable_file('bin.ping.pacnew')) def test_skippable_07(self): - self.assertTrue(is_skippable_file('bin.ping.orig')) + self.assertTrue(is_skippable_file('bin.ping.rpmnew')) def test_skippable_08(self): - self.assertTrue(is_skippable_file('bin.ping.rej')) + self.assertTrue(is_skippable_file('bin.ping.rpmsave')) def test_skippable_09(self): - self.assertTrue(is_skippable_file('bin.ping~')) + self.assertTrue(is_skippable_file('bin.ping.orig')) def test_skippable_10(self): - self.assertTrue(is_skippable_file('.bin.ping')) - def test_skippable_11(self): - self.assertTrue(is_skippable_file('')) # empty filename + self.assertTrue(is_skippable_file('bin.ping.rej')) + def test_skippable_10(self): + self.assertTrue(is_skippable_file('bin.ping~')) def test_skippable_12(self): - self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename + self.assertTrue(is_skippable_file('.bin.ping')) def test_skippable_13(self): + self.assertTrue(is_skippable_file('')) # empty filename + def test_skippable_14(self): + self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename + def test_skippable_15(self): self.assertTrue(is_skippable_file('README')) From b4fa0cf9f65feceaeac759708e39933bc6893aec Mon Sep 17 00:00:00 2001 From: Emerson Bernier Date: Fri, 30 Mar 2018 18:05:06 +0200 Subject: [PATCH 2/2] Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974 --- libraries/libapparmor/src/private.c | 1 + parser/apparmor_parser.pod | 7 ++++--- parser/rc.apparmor.functions | 1 + utils/apparmor/aa.py | 2 +- utils/test/test-aa.py | 22 ++++++++++++---------- 5 files changed, 19 insertions(+), 14 deletions(-) diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c index 91c3f9c30..2414f0294 100644 --- a/libraries/libapparmor/src/private.c +++ b/libraries/libapparmor/src/private.c @@ -56,6 +56,7 @@ static struct ignored_suffix_t ignored_suffixes[] = { { ".dpkg-old", 9, 1 }, { ".dpkg-dist", 10, 1 }, { ".dpkg-bak", 9, 1 }, + { ".dpkg-remove", 12, 1 }, /* Archlinux packaging files */ { ".pacsave", 8, 1 }, { ".pacnew", 7 1 }, diff --git a/parser/apparmor_parser.pod b/parser/apparmor_parser.pod index a4c878bd3..c9a5eb11c 100644 --- a/parser/apparmor_parser.pod +++ b/parser/apparmor_parser.pod @@ -46,9 +46,10 @@ program. The B may be specified by file name or a directory name containing a set of profiles. If a directory is specified then the B will try to do a profile load for each file in the directory that is not a dot file, or explicitly black listed (*.dpkg-new, -*.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.pacsave, *.pacnew, *.rpmnew, *.rpmsave, -*orig, *.rej, *~). The B will fall back to taking input from -standard input if a profile or directory is not supplied. +*.dpkg-old, *.dpkg-dist, *.dpkg-bak, *.dpkg-remove, *.pacsave, *.pacnew, +*.rpmnew, *.rpmsave, *.orig, *.rej, *~). +The B will fall back to taking input from standard input if +a profile or directory is not supplied. The input supplied to B should be in the format described in apparmor.d(5). diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions index 9aae47fbb..cc531f1bf 100644 --- a/parser/rc.apparmor.functions +++ b/parser/rc.apparmor.functions @@ -122,6 +122,7 @@ skip_profile() { "${profile%.dpkg-old}" != "${profile}" -o \ "${profile%.dpkg-dist}" != "${profile}" -o \ "${profile%.dpkg-bak}" != "${profile}" -o \ + "${profile%.dpkg-remove}" != "${profile}" -o \ "${profile%.pacsave}" != "${profile}" -o \ "${profile%.pacnew}" != "${profile}" ] ; then return 2 diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 24f8f2f56..c8089aa8a 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -2031,7 +2031,7 @@ def is_skippable_file(path): if not basename or basename[0] == '.' or basename == 'README': return True - skippable_suffix = ('.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.pacsave', '.pacnew', '.rpmnew', '.rpmsave', '.orig', '.rej', '~') + skippable_suffix = ('.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.dpkg-remove', '.pacsave', '.pacnew', '.rpmnew', '.rpmsave', '.orig', '.rej', '~') if basename.endswith(skippable_suffix): return True diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py index a4b485391..db920f27d 100644 --- a/utils/test/test-aa.py +++ b/utils/test/test-aa.py @@ -452,26 +452,28 @@ class AaTest_is_skippable_file(AATest): def test_skippable_04(self): self.assertTrue(is_skippable_file('bin.ping..dpkg-bak')) def test_skippable_05(self): - self.assertTrue(is_skippable_file('bin.ping.pacsave')) + self.assertTrue(is_skippable_file('bin.ping.dpkg-remove')) def test_skippable_06(self): - self.assertTrue(is_skippable_file('bin.ping.pacnew')) + self.assertTrue(is_skippable_file('bin.ping.pacsave')) def test_skippable_07(self): - self.assertTrue(is_skippable_file('bin.ping.rpmnew')) + self.assertTrue(is_skippable_file('bin.ping.pacnew')) def test_skippable_08(self): - self.assertTrue(is_skippable_file('bin.ping.rpmsave')) + self.assertTrue(is_skippable_file('bin.ping.rpmnew')) def test_skippable_09(self): + self.assertTrue(is_skippable_file('bin.ping.rpmsave')) + def test_skippable_10(self): self.assertTrue(is_skippable_file('bin.ping.orig')) - def test_skippable_10(self): + def test_skippable_11(self): self.assertTrue(is_skippable_file('bin.ping.rej')) - def test_skippable_10(self): - self.assertTrue(is_skippable_file('bin.ping~')) def test_skippable_12(self): - self.assertTrue(is_skippable_file('.bin.ping')) + self.assertTrue(is_skippable_file('bin.ping~')) def test_skippable_13(self): - self.assertTrue(is_skippable_file('')) # empty filename + self.assertTrue(is_skippable_file('.bin.ping')) def test_skippable_14(self): - self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename + self.assertTrue(is_skippable_file('')) # empty filename def test_skippable_15(self): + self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename + def test_skippable_16(self): self.assertTrue(is_skippable_file('README'))