Hello,
we replaced parse_audit_allow() with parse_modifiers() in r2833, but
overlooked that parse_modifiers() returns allow/deny as boolean. This
resulted in storing bare file rules in aa[profile][hat]['path'][False]
instead of aa[profile][hat]['path']['allow'] (or True instead of 'deny'
for 'deny file,' rules), with the user-visible result of loosing bare
file rules when saving the profile.
This patch converts the boolean value from parse_modifiers back to a
string.
Note: 2.9 is not affected because the old parse_audit_allow() returns
'allow' or 'deny' as string, not as boolean.
BTW: I noticed this while playing with a more strict profile_storage()
that uses more dict()s instead of a big hasher() monster.
[ 18-fix-bare-file-rule.diff ]
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-10-23 19:53:08.919616025 +0200
+++ utils/apparmor/aa.py 2015-10-27 23:27:14.835966475 +0100
@@ -2799,8 +2810,12 @@
if not profile:
raise AppArmorException(_('Syntax Error: Unexpected bare file
rule found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno
+ 1 })
- audit, allow, allow_keyword, comment = parse_modifiers(matches)
+ audit, deny, allow_keyword, comment = parse_modifiers(matches)
# TODO: honor allow_keyword and comment
+ if deny:
+ allow = 'deny'
+ else:
+ allow = 'allow'
mode = apparmor.aamode.AA_BARE_FILE_MODE
if not matches.group('owner'):
Regards,
Christian Boltz
--
Natürlich kann man Bäume mit der Nagelschere fällen, und es ist
bedeutend sicherer, als, sagenwirmal, eine Kettensäge. Trotzdem
ist eine Säge das korrekte Werkzeug. [Ratti in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
