[apparmor] [PATCH 09/11] Make meaning of leading permissions consistent with trailing permissions

John Johansen john.johansen at canonical.com
Tue Dec 14 08:58:46 GMT 2010 

x Permissions when specified as a the start of the rule had a differnt
meaning than when they appeared at the tail of a rule.

Specifically px,cx,ux were not treated as unsafe when they appeared at
the start of the rule.
  px /foo,
instead of at the tail of the rule
  /foo px,

the keyword unsafe had to be used to force the rule to cause the x transition
to be its unsafe variant.

Fix leading permissions so that they are consistent with file rules that
use trailing permissions.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_yacc.y                               |    5 +++--
 .../xtrans/simple_bad_x_mods_first_34.sd           |   16 ----------------
 parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd  |    4 ++--
 3 files changed, 5 insertions(+), 20 deletions(-)
 delete mode 100644 parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 7f5191e..80f2378 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -879,11 +879,12 @@ opt_unsafe: { /* nothing */ $$ = 0; }
 
 rule:   opt_unsafe file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 	{
-		int mode = $2 & ~ALL_AA_EXEC_UNSAFE;
+		int mode = $2;
 		if ($1) {
 			if (!($2 & AA_EXEC_BITS))
 				yyerror(_("unsafe rule missing exec permissions"));
-			mode |= (($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE;
+			mode = ($2 & ~ALL_AA_EXEC_UNSAFE) |
+				((($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE);
 		}
 
 		if ($3 && ($2 & ~AA_LINK_BITS))
diff --git a/parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd b/parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd
deleted file mode 100644
index 2ab50b0..0000000
--- a/parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-#=DESCRIPTION test pix - in forward perms P and p are the same and the
-# unsafe keyword is required.  So these should conflict
-#=EXRESULT FAIL
-#
-/usr/bin/foo {
-  /bin/cat pix,
-  /bin/foo Pix,
-  /bin/bar pIx,
-  /bin/a   PIx,
-
-  pix /bin/cat,
-  Pix /bin/foo,
-  pIx /bin/bar,
-  PIx /bin/a,
-}
diff --git a/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd b/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd
index 4a4b9ae..c8e6ab1 100644
--- a/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd
+++ b/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd
@@ -9,7 +9,7 @@
   /bin/a   PIx,
 
   unsafe pix /bin/cat,
-  pix /bin/foo,
+  Pix /bin/foo,
   unsafe pix /bin/bar,
-  pix /bin/a,
+  Pix /bin/a,
 }
-- 
1.7.1

More information about the AppArmor mailing list