mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
36d44a3b25
When generating the flag set the parser was not generating the complete
set when flags where not consecutive. This is because the len value
was not being reset for each flag considered, so once it was set for
a flag, then the next flag would have to be set to reset it else the
output string was still incremented by the old len value.
Eg.
echo "/t { mount options=rbind, }" | apparmor_parser -QT -D rule-exprs
results in
rule: \x07[^\000]*\x00[^\000]*\x00[^\000]*\x00\x0d ->
however \x0d only covers the bind and not the recursive flag
This is fixed by adding a continue to the flags generation loop for the
else case.
resulting the dump from above generating
rule: \x07[^\000]*\x00[^\000]*\x00[^\000]*\x00\x0d\x0f ->
\x0d\x0f covers both of the required flags
Also fix the flags output to allow for the allow any flags case. This
was being screened out. By masking the flags even when no flags where
specified.
this results in a difference of
echo "/t { mount, }" | apparmor_parser -QT -D rule-exprs
rule: \x07[^\000]*\x00[^\000]*\x00[^\000]*\x00(\x01|)(\x02|)(\x03|)(\x04|)(\x05|)\x00[^\000]*
becoming
\x07[^\000]*\x00[^\000]*\x00[^\000]*\x00[^\000]*\x00[^\000]*
which is simplified and covers all permissions vs. the first rule output
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
|
||
|---|---|---|
| .. | ||
| libapparmor_re | ||
| po | ||
| tst | ||
| apparmor-parser.spec.in | ||
| apparmor.d.pod | ||
| apparmor.pod | ||
| apparmor.vim.pod | ||
| apparmor_parser.pod | ||
| COPYING.GPL | ||
| frob_slack_rc | ||
| immunix.h | ||
| Makefile | ||
| mount.c | ||
| mount.h | ||
| parser.conf | ||
| parser.h | ||
| parser_alias.c | ||
| parser_common.c | ||
| parser_include.c | ||
| parser_include.h | ||
| parser_interface.c | ||
| parser_lex.l | ||
| parser_main.c | ||
| parser_merge.c | ||
| parser_misc.c | ||
| parser_policy.c | ||
| parser_regex.c | ||
| parser_symtab.c | ||
| parser_variable.c | ||
| parser_yacc.y | ||
| policydb.h | ||
| rc.aaeventd.redhat | ||
| rc.aaeventd.suse | ||
| rc.apparmor.debian | ||
| rc.apparmor.functions | ||
| rc.apparmor.redhat | ||
| rc.apparmor.slackware | ||
| rc.apparmor.suse | ||
| README | ||
| subdomain.conf | ||
| subdomain.conf.pod | ||
| techdoc.tex | ||
The apparmor_parser allows you to add, replace, and remove AppArmor policy through the use of command line options. The default is to add. `apparmor_parser --help` shows what the command line options are. You can also find more information at <http://forge.novell.com/modules/xfmod/project/?apparmor>. Please send all complaints, bug reports, feature requests, rants about the software, and questions to apparmor-general@forge.novell.com. Security issues should be directed to security@suse.de or secure@novell.com, where we will attempt to conform to the RFP vulnerability disclosure protocol: http://www.wiretrip.net/rfp/policy.html Thanks. -- The AppArmor development team