https://launchpad.net/bugs/1628286
The utils were enforcing that the dbus rule attributes were strictly
ordered in the following fashion:
bus -> path -> interface -> member -> peer
However, the parser has always accepted the attributes in any order. If
the system contained a profile which did not use the strict ordering
enforced by the utils, the utils would refuse to operate at all.
This patch eases the restriction on the ordering at the expense of the
utils no longer being able to detect and reject a single attribute that
is repeated multiple times. In that situation, only the last occurrence
of the attribute will be honored by the utils.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Cc: Christian Boltz <appar...@cboltz.de>
---
utils/apparmor/rule/dbus.py | 12 ++++++------
utils/test/test-dbus.py | 6 ++++++
utils/test/test-parser-simple-tests.py | 8 +++-----
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/utils/apparmor/rule/dbus.py b/utils/apparmor/rule/dbus.py
index 60f1ecf..58dc7b5 100644
--- a/utils/apparmor/rule/dbus.py
+++ b/utils/apparmor/rule/dbus.py
@@ -40,11 +40,11 @@ RE_FLAG =
'(?P<%s>(\S+|"[^"]+"|\(\s*\S+\s*\)|\(\s*"[^"]+"\)\s*))' # s
RE_DBUS_DETAILS = re.compile(
'^' +
'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' + # optional access
keyword(s)
- '(\s+(bus\s*=\s*' + RE_FLAG % 'bus' + '))?' + # optional bus=
system | session | AARE, (...) optional
- '(\s+(path\s*=\s*' + RE_FLAG % 'path' + '))?' + # optional
path=AARE, (...) optional
- '(\s+(name\s*=\s*' + RE_FLAG % 'name' + '))?' + # optional
name=AARE, (...) optional
- '(\s+(interface\s*=\s*' + RE_FLAG % 'interface' + '))?' + # optional
interface=AARE, (...) optional
- '(\s+(member\s*=\s*' + RE_FLAG % 'member' + '))?' + # optional
member=AARE, (...) optional
+ '((\s+(bus\s*=\s*' + RE_FLAG % 'bus' + '))?|' + # optional
bus= system | session | AARE, (...) optional
+ '(\s+(path\s*=\s*' + RE_FLAG % 'path' + '))?|' + # optional
path=AARE, (...) optional
+ '(\s+(name\s*=\s*' + RE_FLAG % 'name' + '))?|' + # optional
name=AARE, (...) optional
+ '(\s+(interface\s*=\s*' + RE_FLAG % 'interface' + '))?|' + # optional
interface=AARE, (...) optional
+ '(\s+(member\s*=\s*' + RE_FLAG % 'member' + '))?|' + # optional
member=AARE, (...) optional
'(\s+(peer\s*=\s*\((,|\s)*' + # optional peer=( name=AARE and/or
label=AARE ), (...) required
'(' +
'(' + '(,|\s)*' + ')' + # empty peer=()
@@ -57,7 +57,7 @@ RE_DBUS_DETAILS = re.compile(
'|' # or
'(' + 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel3' +
'(,|\s)+' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername3' + ')' + # peer
label + name (match name peername3/peerlabel3)
')'
- '(,|\s)*\)))?'
+ '(,|\s)*\)))?){0,6}'
'\s*$')
diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py
index 5b676bc..f1bcb25 100644
--- a/utils/test/test-dbus.py
+++ b/utils/test/test-dbus.py
@@ -89,6 +89,10 @@ class DbusTestParse(DbusTest):
('dbus peer=(, label = bar, name = foo ),' , exp(False, False,
False, '', None , True , None, True, None,
True, None, True, None, True, None, True, 'foo',
False, 'bar,', False)), # XXX peerlabel includes the comma
('dbus peer=( label = bar , name = foo ),' , exp(False, False,
False, '', None , True , None, True, None,
True, None, True, None, True, None, True, 'foo',
False, 'bar', False)),
('dbus peer=( label = "bar" name = "foo" ),' , exp(False, False,
False, '', None , True , None, True, None,
True, None, True, None, True, None, True, 'foo',
False, 'bar', False)),
+ ('dbus path=/foo/bar bus=session,' , exp(False, False,
False, '', None , True , 'session', False, '/foo/bar',
False, None, True, None, True, None, True, None,
True, None, True)),
+ ('dbus bus=system path=/foo/bar bus=session,' , exp(False, False,
False, '', None , True , 'session', False, '/foo/bar',
False, None, True, None, True, None, True, None,
True, None, True)),
+ ('dbus send peer=(label="foo") bus=session,' , exp(False, False,
False, '', {'send'}, False, 'session', False, None,
True, None, True, None, True, None, True, None,
True, 'foo', False)),
+ ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6,' , exp(False, False,
False, '', None , True , '6', False, None,
True, None, True, None, True, None, True, None,
True, None, True)),
]
def _run_test(self, rawrule, expected):
@@ -108,6 +112,8 @@ class DbusTestParseInvalid(DbusTest):
('dbus peer=(label=foo) path=,' , AppArmorException),
('dbus (invalid),' , AppArmorException),
('dbus peer=,' , AppArmorException),
+ ('dbus bus=session bind bus=system,', AppArmorException),
+ ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', AppArmorException),
]
def _run_test(self, rawrule, expected):
diff --git a/utils/test/test-parser-simple-tests.py
b/utils/test/test-parser-simple-tests.py
index 11617b5..92d81c3 100644
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@@ -52,6 +52,7 @@ exception_not_raised = [
'change_profile/onx_conflict_unsafe1.sd',
'change_profile/onx_conflict_unsafe2.sd',
+ 'dbus/bad_modifier_2.sd',
'dbus/bad_regex_01.sd',
'dbus/bad_regex_02.sd',
'dbus/bad_regex_03.sd',
@@ -154,6 +155,8 @@ exception_not_raised = [
'vars/vars_dbus_bad_01.sd',
'vars/vars_dbus_bad_02.sd',
'vars/vars_dbus_bad_03.sd',
+ 'vars/vars_dbus_bad_04.sd',
+ 'vars/vars_dbus_bad_05.sd',
'vars/vars_dbus_bad_06.sd',
'vars/vars_dbus_bad_07.sd',
'vars/vars_file_evaluation_7.sd',
@@ -262,11 +265,6 @@ syntax_failure = [
'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx
'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux
- # dbus regex mismatch
- 'vars/vars_dbus_4.sd',
- 'vars/vars_dbus_9.sd',
- 'vars/vars_dbus_2.sd',
-
# misc
'vars/vars_dbus_8.sd', # Path doesn't start with / or variable:
{/@{TLDS}/foo,/com/@{DOMAINS}}
'vars/vars_simple_assignment_12.sd', # Redefining existing variable
@{BAR} ('\' not handled)
--
2.7.4
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
