[apparmor] [utils] Allow Perl utils to store and write back unsupported rules

Kshitij Gupta kgupta8592 at gmail.com
Wed Oct 8 19:14:37 UTC 2014 

Hello,

The deprecated Perl utils (still used in YaST) don't support many
rules and these rules are effectively ignored and if writing back
lost.

This patch:
- allows the unsupported rules to be stored when parsing profiles
- writes all the unsupported rules back to profile

=== modified file 'deprecated/utils/Immunix/AppArmor.pm'
--- deprecated/utils/Immunix/AppArmor.pm    2014-10-08 16:46:09 +0000
+++ deprecated/utils/Immunix/AppArmor.pm    2014-10-08 19:17:50 +0000
@@ -5440,7 +5440,12 @@
             }
         } elsif
(/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(capability|dbus|file|mount|pivot_root|remount|umount|signal|unix|ptrace)/)
{
         # ignore valid rules that are currently unsupported by AppArmor.pm
-            # BUG: when writing the profile, those rules are lost!
+            if (! defined $profile_data->{$profile}{$hat}{unsupported_rules}) {
+                $profile_data->{$profile}{$hat}{unsupported_rules} = [];
+            }
+            $_ =~ s/^\s+|\s+$//g;
+            push @{$profile_data->{$profile}{$hat}{unsupported_rules}}, $_ ;
+
         } else {
         # we hit something we don't understand in a profile...
         die sprintf(gettext('%s contains syntax errors. Line [%s]'),
$file, $_) . "\n";
@@ -5894,6 +5899,25 @@
     return @data;
 }

+sub writeunsupportedrules ($$) {
+    my ($prof_data, $depth) = @_;
+
+    my @data;
+    my $pre = "  " x $depth;
+
+    if (defined $prof_data->{unsupported_rules}) {
+
+        for my $rule (@{$prof_data->{unsupported_rules}}){
+            push @data, "${pre}${rule}";
+        }
+
+        push @data, "";
+    }
+
+    return @data;
+
+}
+
 sub write_rules ($$) {
     my ($prof_data, $depth) = @_;

@@ -5904,6 +5928,7 @@
     push @data, writerlimits($prof_data, $depth);
     push @data, writecapabilities($prof_data, $depth);
     push @data, writenetdomain($prof_data, $depth);
+    push @data, writeunsupportedrules($prof_data, $depth); ## Legacy
support for unknown/new rules
     push @data, writelinks($prof_data, $depth);
     push @data, writepaths($prof_data, $depth);
     push @data, writechange_profile($prof_data, $depth);


Regards,
Kshitij Gupta

More information about the AppArmor mailing list