Fix permissions attached to the bare file keyword

file, was not given the correct permissions. It was only being given the owner set of permissions. This would result in rejects when trying look at files owned by other users Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
2025-03-04 08:24:42 +01:00 · 2012-03-09 04:23:25 -08:00 · 2012-03-09 04:23:25 -08:00 · b0b2bde160
commit b0b2bde160
parent 3a1b7bb54c
3 changed files with 23 additions and 6 deletions
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@ -964,11 +964,13 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 file_rule: TOK_FILE TOK_END_OF_RULE
 	{
 		char *path = strdup("/**");
+		int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
+			     (AA_EXEC_INHERIT | AA_MAY_EXEC));
+		/* duplicate to other permission set */
+		perms |= perms << AA_OTHER_SHIFT;
 		if (!path)
 			yyerror(_("Memory allocation error."));
-		$$ = do_file_rule(NULL, path, ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
-					       (AA_EXEC_INHERIT | AA_MAY_EXEC)),
-				  NULL, NULL);
+		$$ = do_file_rule(NULL, path, perms, NULL, NULL);
 	}
 	| opt_file file_rule_tail { $$ = $2; }

--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@ -164,9 +164,10 @@ sub gen_file($) {
  my $rule = shift;
  my @rules = split (/:/, $rule);
  # default: file rules
-  if (@rules != 2) {
-    (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
-  } else {
+  if (@rules == 1) {
+      # support raw rules
+      push (@{$output_rules{$hat}}, "  $rules[0],\n");
+  } elsif (@rules == 2) {
    if ($escape) {
      $rules[0]=~ s/(["[\]{}\\\:\#])/\\$1/g;
      $rules[0]=~ s/(\#)/\\043/g;
@ -176,6 +177,8 @@ sub gen_file($) {
    } else {
      push (@{$output_rules{$hat}}, "  $rules[0] $rules[1],\n");
    }
+  } else {
+    (!$nowarn) && print STDERR "Warning: invalid file access '$rule', ignored\n";
  }
 }

--- a/tests/regression/apparmor/open.sh
+++ b/tests/regression/apparmor/open.sh
@ -54,3 +54,15 @@ runchecktest "OPEN R+dac_override" fail $file
 rm -f ${file}
 genprofile $file:$badperm2
 runchecktest "OPEN W (create)" fail $file
+
+# This is a test where using just a raw 'file,' rule allowing all file
+# access
+genprofile file
+runchecktest "OPEN 'file' RW" pass $file
+
+# this test is to make sure the raw 'file' rule allows access to things
+# that are not covered by the owner rule
+chown nobody $file
+chmod 666 $file
+genprofile file
+runchecktest "OPEN 'file' RW" pass $file