The kernel has an extended test for change_profile when used with
onexec, that allows it to only work against set executables.

The parser is not correctly mapping change_profile for this test
update the mapping so change_onexec will work when confined.

Note: the parser does not currently support the extended syntax
that the kernel test allows for, this just enables it to work
for the generic case.

Signed-off-by: John Johansen <john.johan...@canonical.com>
---
 parser/immunix.h      |    1 +
 parser/parser_regex.c |   26 +++++++++++++++++---------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/parser/immunix.h b/parser/immunix.h
index 8dc157a..ebb2d2e 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -61,6 +61,7 @@
 #define AA_PTRACE_PERMS                        (AA_USER_PTRACE | 
AA_OTHER_PTRACE)
 
 #define AA_CHANGE_HAT                  (1 << 30)
+#define AA_ONEXEC                      (1 << 30)
 #define AA_CHANGE_PROFILE              (1 << 31)
 #define AA_SHARED_PERMS                        (AA_CHANGE_HAT | 
AA_CHANGE_PROFILE)
 
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 8c34799..d0293e1 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -510,19 +510,27 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, 
struct cod_entry *entry)
                        return FALSE;
        }
        if (entry->mode & AA_CHANGE_PROFILE) {
+               char *vec[3];
+               char lbuf[PATH_MAX + 8];
+               int index = 1;
+
+               /* allow change_profile for all execs */
+               vec[0] = "/[^/\x00]*";
+
                if (entry->namespace) {
-                       char *vec[2];
-                       char lbuf[PATH_MAX + 8];
                        int pos;
                        ptype = convert_aaregex_to_pcre(entry->namespace, 0, 
lbuf, PATH_MAX + 8, &pos);
-                       vec[0] = lbuf;
-                       vec[1] = tbuf;
-                       if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 
0, 2, vec, dfaflags))
-                           return FALSE;
-               } else {
-                 if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0, 
dfaflags))
-                               return FALSE;
+                       vec[index++] = lbuf;
                }
+               vec[index++] = tbuf;
+
+               /* regular change_profile rule */
+               if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index 
-1, &vec[1], dfaflags))
+                       return FALSE;
+               /* onexec rule - both rules are needed for onexec */
+               if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, 
dfaflags))
+                       return FALSE;
+
        }
        if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
                int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
-- 
1.7.9.1


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to