[apparmor] [patch] [06/38] Add FileRule and FileRuleset

Steve Beattie steve at nxnw.org
Sat Oct 1 00:00:34 UTC 2016 

On Thu, Sep 29, 2016 at 09:08:36PM +0200, Christian Boltz wrote:
> Hello,
> 
> Am Freitag, 12. August 2016, 22:47:07 CEST schrieb Christian Boltz:
> > +def split_perms(perm_string, deny):
> > +    '''parse permission string
> > +       - perm_string: the permission string to parse
> > +       - deny: True if this is a deny rule
> > +   '''
> > +    perms = set()
> > +    exec_mode = None
> > +
> > +    while perm_string:
> > +        if perm_string[0] in file_permissions:
> > +            perms.add(perm_string[0])
> > +            perm_string = perm_string[1:]
> > +        elif perm_string[0] == 'x':
> > +            if not deny:
> > +                raise AppArmorException(_("'x' must be preceded by an exec qualifier (i, P, C or U)")) 
> > +            exec_mode = 'x'
> > +            perm_string = perm_string[1:]
> > +        elif perm_string.startswith(allow_exec_transitions):
> > +            if exec_mode:
> > +                raise AppArmorException(_('conflicting execute permissions found: %s and %s' % (exec_mode, perm_string[0:2]))) 
> > +            exec_mode = perm_string[0:2]
> > +            perm_string = perm_string[2:]
> > +        elif perm_string.startswith(allow_exec_fallback_transitions) and not deny:
> 
> I'd like to change this to
> 
> +        elif perm_string.startswith(allow_exec_fallback_transitions):
> 
> (= drop the "and not deny" part) for two reasons:
> - to get it in sync with the allow_exec_transtions check
> - to get a better error message - with the "and not deny" in place, a 
>   "deny /foo pix," rule will result in hitting the else branch ("unknown
>   character"). Without the "and not deny" check, __init__ will do the 
>   error checking and come up with a more helpful error message.
> 
> 
> Opinions? Acks? Objections? ;-)

Sounds reasonable to me, Acked-by: Steve Beattie <steve at nxnw.org>.
Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160930/9012bacf/attachment.pgp>

More information about the AppArmor mailing list