Merge branch 'cboltz-parse-remainder' into 'master'

parse_profile_data(): Ensure last line in a profile is valid

'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.

Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.

Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2018-11-13 23:58:54 +00:00
commit 9db669a0ef
2 changed files with 5 additions and 10 deletions

View file

@ -2544,6 +2544,11 @@ def parse_profile_data(data, file, do_include):
else: else:
raise AppArmorException(_('Syntax Error: Unknown line found in file %(file)s line %(lineno)s:\n %(line)s') % { 'file': file, 'lineno': lineno + 1, 'line': line }) raise AppArmorException(_('Syntax Error: Unknown line found in file %(file)s line %(lineno)s:\n %(line)s') % { 'file': file, 'lineno': lineno + 1, 'line': line })
if lastline:
# lastline gets merged into line (and reset to None) when reading the next line.
# If it isn't empty, this means there's something unparseable at the end of the profile
raise AppArmorException(_('Syntax Error: Unknown line found in file %(file)s line %(lineno)s:\n %(line)s') % { 'file': file, 'lineno': lineno + 1, 'line': lastline })
# Below is not required I'd say # Below is not required I'd say
if not do_include: if not do_include:
for hatglob in cfg['required_hats'].keys(): for hatglob in cfg['required_hats'].keys():

View file

@ -40,11 +40,6 @@ skip_startswith = (
# testcases that should raise an exception, but don't # testcases that should raise an exception, but don't
exception_not_raised = [ exception_not_raised = [
# most abi/bad_* aren't detected as bad by the basic implementation in the tools # most abi/bad_* aren't detected as bad by the basic implementation in the tools
'abi/bad_1.sd',
'abi/bad_2.sd',
'abi/bad_3.sd',
'abi/bad_4.sd',
'abi/bad_5.sd',
'abi/bad_10.sd', 'abi/bad_10.sd',
'abi/bad_11.sd', 'abi/bad_11.sd',
'abi/bad_12.sd', 'abi/bad_12.sd',
@ -155,13 +150,9 @@ exception_not_raised = [
'unix/bad_regex_04.sd', 'unix/bad_regex_04.sd',
'unix/bad_shutdown_1.sd', 'unix/bad_shutdown_1.sd',
'unix/bad_shutdown_2.sd', 'unix/bad_shutdown_2.sd',
'vars/boolean/boolean_bad_1.sd',
'vars/boolean/boolean_bad_2.sd', 'vars/boolean/boolean_bad_2.sd',
'vars/boolean/boolean_bad_3.sd', 'vars/boolean/boolean_bad_3.sd',
'vars/boolean/boolean_bad_4.sd', 'vars/boolean/boolean_bad_4.sd',
'vars/boolean/boolean_bad_6.sd',
'vars/boolean/boolean_bad_7.sd',
'vars/boolean/boolean_bad_8.sd',
'vars/vars_bad_3.sd', 'vars/vars_bad_3.sd',
'vars/vars_bad_4.sd', 'vars/vars_bad_4.sd',
'vars/vars_bad_5.sd', 'vars/vars_bad_5.sd',
@ -200,7 +191,6 @@ exception_not_raised = [
'vars/vars_recursion_2.sd', 'vars/vars_recursion_2.sd',
'vars/vars_recursion_3.sd', 'vars/vars_recursion_3.sd',
'vars/vars_recursion_4.sd', 'vars/vars_recursion_4.sd',
'vars/vars_simple_assignment_10.sd',
'vars/vars_simple_assignment_3.sd', 'vars/vars_simple_assignment_3.sd',
'vars/vars_simple_assignment_8.sd', 'vars/vars_simple_assignment_8.sd',
'vars/vars_simple_assignment_9.sd', 'vars/vars_simple_assignment_9.sd',