mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
d37f777858
Hat declarations ("^hat,") were added in 2.3 for declaring external
hats, but in the meantime aren't supported by the parser anymore (tested
with 2.9.2 parser).
Additionally, if a profile contains both a hat declaration and the hat
("^hat { ...}"), the hat declaration can overwrite the content of the
hat on a "last one wins" base.
This is caused by setting 'declared' to True, which means write_piece()
will only write the "^hat," line, but not the "^hat { ... }" block.
Therefore no longer set 'declared' to True, print a warning that hat
declarations are no longer supported, and ignore the rule. This also
means that running aa-cleanprof can make the profile valid again :-)
Also no longer change 'hat' when hitting a profile declaration, which
also looks wrong.
Note: This change removes the only usage of 'declared'. A follow-up
patch (trunk only) will completely remove the 'declared' handling.
Reproducer profile (run aa-cleanprof on it):
(will crash in remove_duplicate_rules() 80% of the time - if so, try
multiple times. One of the next patches will fix that. Or just try 2.9,
which doesn't have the crash in remove_duplicate_rules().)
/usr/bin/true {
^FOO {
capability setgid,
}
# deletes the content of ^FOO when saving the profile! (last one wins)
# additionally, the parser says this is invalid syntax
^FOO,
}
See also the "Hat declarations" thread on the ML,
https://lists.ubuntu.com/archives/apparmor/2015-June/008107.html
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for both 2.9 and trunk.
|
||
|---|---|---|
| .. | ||
| apparmor | ||
| easyprof | ||
| po | ||
| test | ||
| vim | ||
| aa-audit | ||
| aa-audit.pod | ||
| aa-autodep | ||
| aa-autodep.pod | ||
| aa-cleanprof | ||
| aa-cleanprof.pod | ||
| aa-complain | ||
| aa-complain.pod | ||
| aa-decode | ||
| aa-decode.pod | ||
| aa-disable | ||
| aa-disable.pod | ||
| aa-easyprof | ||
| aa-easyprof.pod | ||
| aa-enforce | ||
| aa-enforce.pod | ||
| aa-exec | ||
| aa-exec.pod | ||
| aa-genprof | ||
| aa-genprof.pod | ||
| aa-logprof | ||
| aa-logprof.pod | ||
| aa-mergeprof | ||
| aa-mergeprof.pod | ||
| aa-notify | ||
| aa-notify.pod | ||
| aa-sandbox | ||
| aa-sandbox.pod | ||
| aa-status | ||
| aa-status.pod | ||
| aa-unconfined | ||
| aa-unconfined.pod | ||
| check_po.pl | ||
| logprof.conf | ||
| logprof.conf.pod | ||
| Makefile | ||
| notify.conf | ||
| python-tools-setup.py | ||
| README.md | ||
| severity.db | ||
Known Bugs: Will allow multiple letters in the () due to translation/unicode issues with regexing the key. User input will probably bug out in a different locale.