date:20151214

Re: [apparmor] AppArmor APIs

2015-12-14 Thread John Johansen

On 12/14/2015 02:49 PM, Seth Arnold wrote:
> On Mon, Dec 14, 2015 at 03:44:56PM +, Colin Ian King wrote:
>> I'm looking at writing some stress tests for AppArmor, so I'd like to
>> construct some simple rules and insert/remove them.  I looked for some
>> API documentation, but all I can find is:
>>
>> http://wiki.apparmor.net/index.php/AppArmorAPIs
> 
> Excellent, thanks!
> 
>> Are there any API docs, guides or worked examples for libaaparse and
>> libapparmor?
> 
> libaaparse doesn't yet exist. There is work underway to make the
> apparmor_parser suitable for use as a library but it is currently only
> usable as an executable.
>

Actually it does, its pretty rudimentary though, but gen/logprof has been
using it since 2.3. It consists of 2 fns
  parse_record and free_record

> The simplest way to create rules, load, and unload would be something like
> this:
> 
> echo "profile profile_name /attachement/specification { /rules/ r, }" | \
> apparmor_parser --replace
> 
> (I always use --replace because it's idempotent. --add is not.)
> 
> echo "profile profile_name /attachment/specification { }" | \
> apparmor_parser --remove
> 
sure, this is a parser level view. I think Colin is really looking to
stress the underlying interfaces, which are in desperate need of documentation


> If this is too onerous for integrating into stress-ng, then the next best
> starting point is probably process_profile() in parser_main.c. That
> orchestrates loading either a binary blob from the cache or the compiled
> profile into the kernel. Since there's extensive use of global variables
> in the parser it probably still makes sense to fork off new processes for
> each use as needed. (Even this seems like it might be a lot of work
> compared to stealing the 'interface' code from parser_interface.c and
> using that on stress-ng-supplied binary blobs.)
> 
the parser has decent documentation between
man apparmor_parser
man apparmor.d
and apparmor_parser -h

but yes the underlying code is a mess, and I don't see much point in
documenting it until we are finished the transition (from C to more C++).
Currently the front and mid are in the parser/ dir the main work is done in
parser/libapparmor_re/ and with the loading being driven by the from in
parser/ and libapparmor

the bulk of the parser tests are either unit tests that are inlined unit
tests and build by defining some macros. And tests under the tst/ dir
which with simple_tests/ dir having profile syntax examples and
other tests focused on other parts


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH] parser: Honor the --namespace-string commandline option

2015-12-14 Thread Seth Arnold

On Mon, Dec 14, 2015 at 05:21:40PM -0600, Tyler Hicks wrote:
> https://launchpad.net/bugs/1526085
> 
> Revno 2934 'Add fns to handle profile removal to the kernel interface'
> introduced a regression in the parser's namespace support by causing the
> --namespace-string option to be ignored. This resulted in the profile(s)
> being loaded into the global namespace rather than the namespace
> specified on the command line.
> 
> This patch fixes the bug by setting the Profile object's ns member, if
> the --namespace-string option was specified, immediately after the
> Profile object is allocated.
> 
> Signed-off-by: Tyler Hicks 

Acked-by: Seth Arnold 

Acked for both trunk and 2.10.

Thanks

> ---
> 
> Nominated for 2.10 and trunk.
> 
> Tyler
> 
>  parser/parser_yacc.y | 22 +-
>  1 file changed, 17 insertions(+), 5 deletions(-)
> 
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index d17eab9..2a48367 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -318,6 +318,13 @@ profile_base: TOK_ID opt_id_or_var flags TOK_OPEN rules 
> TOK_CLOSE
>   yyerror(_("Memory allocation error."));
>   }
>  
> + /* Honor the --namespace-string command line option */
> + if (profile_ns) {
> + prof->ns = strdup(profile_ns);
> + if (!prof->ns)
> + yyerror(_("Memory allocation error."));
> + }
> +
>   prof->name = $1;
>   prof->attachment = $2;
>   if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
> @@ -351,12 +358,17 @@ profile:  opt_profile_flag opt_ns profile_base
>   if ($3->name[0] != '/' && !($1 || $2))
>   yyerror(_("Profile names must begin with a '/', 
> namespace or keyword 'profile' or 'hat'."));
>  
> - if ($2 && profile_ns) {
> - pwarn("%s: -n %s overriding policy specified namespace 
> :%s:\n", progname, profile_ns, $2);
> + if (prof->ns) {
> + /**
> +  * Print warning if the profile specified a namespace
> +  * different than the one specified with the
> +  * --namespace-string commandline option
> +  */
> + if ($2 && strcmp(prof->ns, $2)) {
> + pwarn("%s: -n %s overriding policy specified 
> namespace :%s:\n",
> +   progname, prof->ns, $2);
> + }
>   free($2);
> - prof->ns = strdup(profile_ns);
> - if (!prof->ns)
> - yyerror(_("Memory allocation error."));
>   } else
>   prof->ns = $2;
>   if ($1 == 2)


signature.asc
Description: Digital signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] AppArmor APIs

2015-12-14 Thread John Johansen

On 12/14/2015 07:44 AM, Colin Ian King wrote:
> Hi there,
> 
> I'm looking at writing some stress tests for AppArmor, so I'd like to
> construct some simple rules and insert/remove them.  I looked for some
> API documentation, but all I can find is:
> 
> http://wiki.apparmor.net/index.php/AppArmorAPIs
> 
> Are there any API docs, guides or worked examples for libaaparse and
> libapparmor?
> 

Hey Colin,
sorry the interfaces aren't better documented. It is one of those perpetual
todo items. There is a quick view of the basic apis bellow and I'll work on
getting you some better docs

The libapparmor api, is fairly well documented in the man pages (though it
seems the cross refs to find them could stand to be updated)

  man aa_change_hat
  aa_change_hatv
  aa_change_hat_vargs

  man aa_change_profile
  aa_change_onexec

  man  aa_getprocattr_raw
   aa_getprocattr
   aa_gettaskcon
   aa_getcon
   aa_getpeercon_raw
   aa_getpeercon

  man aa_splitcon

  man aa_features
  aa_features_new
  aa_features_new_from_string
  aa_features_new_from_kernel
  aa_features_ref
  aa_features_unref
  aa_features_write_to_file
  aa_features_is_equal
  aa_features_supports

  man aa_is_enabled
  aa_find_mountpoint

  man aa_kernel_interface
  aa_kernel_interface_new
  aa_kernel_interface_ref
  aa_kernel_interface_unref
  aa_kernel_interface_load_policy
  aa_kernel_interface_load_policy_from_file
  aa_kernel_interface_load_policy_from_fd
  aa_kernel_interface_replace_policy
  aa_kernel_interface_replace_policy_from_file
  aa_kernel_interface_replace_policy_from_fd
  aa_kernel_interface_remove_policy
  aa_kernel_interface_write_policy

  man aa_policy_cache
  aa_policy_cache_new
  aa_policy_cache_ref
  aa_policy_cache_unref
  aa_policy_cache_remove
  aa_policy_cache_replace_all

  man aa_query_label
  aa_query_file_path
  aa_query_file_path_len
  aa_query_link_path_len
  aa_query_link_path



the logparsing doesn't seem to be documented at all :(
The 2 exported functions are
  aa_log_record *parse_record(char *str)
  void free_record(aa_log_record *record)

  with aa_log_record being defined in include/aalogparse.h
there are a fair number of log parsing tests in 
  libraries/libapparmor/testsuite/

there are a set of private functions that a pseudo exported but being private 
apis may change at any time
_aa_is_blacklisted;
_aa_autofree;
_aa_autoclose;
_aa_autofclose;
_aa_dirat_for_each;



the apparmor_parser flags are fairly well documented in
  man apparmor_parser



the lowlevel interfaces are not well documented at all
  reading of a sockets label is done via
getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buf, );

  read of a tasks label is done via
/proc//attr/current

  read of a scheduled change at exec via
/proc//attr/exec

  read of parent while in a hat
/proc//attr/prev

  setting self label (another tasks label can not be directly set) is done by 
writing to
/proc//attr/current

  setting of self label at exec (again another tasks is not allow) is done via 
writing to
/proc//attr/exec

  the /proc//attr/  fscreate  keycreate sockcreate files are currently not 
used

  the sock and proc/attr interface are limited to pagesize reads and writes atm



the apparmor filesystem used for loading and introspecting policy is usually 
mounted at
   /sys/kernel/security/apparmor.

Well its not really the apparmor filesystem anymore as it is a sub of the 
securityfs
filesystem.  Under this there is
  ls apparmor/
  .access  features  .load  .null  policy  profiles  .remove  .replace

.access - is a file that allows querying permissions. I'll work on getting you 
some docs
  on its format

profiles - flattened, virtualized view of what policy is visible to the 
inquiring task.
  I'll work on some better docs for you

features - dir of features supported by the kernel (should be read only)

policy - dir of policy currently visible (actually currently this is always 
from root
 policy ns, but ideally it should get virtualized (except doing that 
properly
 with the way the vfs is setup is impossible, so there will be 
something half
 assed for 16.04).

 This represents an expanded view of what is available in the profiles 
file,
 and is currently entirely read only.

 the hierarch is basically

 policy/namespaces/   #subnamespaces follow exactly same format as 
whats in policy
   /profiles/.uniq#/
   name   #name of 
profile
   attach #exec profile 
attachment
   mode   #mode of 
profile
   sha1   #sha1 of

Re: [apparmor] [PATCH 4/4] dconf patch

2015-12-14 Thread William Hua

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Here is another iteration of the patch set, including the kernel patch
from June which went stale due to upstream changes over the past six
months. Please review these and let me know of any revisions required
as soon as possible since the work on the dconf side has already begun
and is currently waiting on us.

Thanks,
Will



On 10/06/2015 03:24 PM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
>> On 10/06/2015 11:05 AM, Christian Boltz wrote:
>>> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
 diff --git a/parser/Makefile b/parser/Makefile index 
 1f0db8d..ec54f96 100644 --- a/parser/Makefile +++ 
 b/parser/Makefile
> ...
>>> I know that list is chaotic already (probably for historical 
>>> reasons?), but what about sorting the HDRS files by alphabet? 
>>> (same question for SRCS and maybe some other file lists in the 
>>> Makefile)
>> 
>> yeah we can get to doing something like that, once my make file 
>> patches land.
> 
> Most of them are acked, so feel free to commit those ;-) I'd also 
> accept a *.h wildcard to make maintaining the Makefile easier.
> 
>> This is based on work William did months ago and I am only now 
>> getting a reply out to.
> 
> no problem ;-)
> 
 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh
 
 +verify_binary_equality "dconf read" \ +   "/t { dconf / r, }" 
 \ +"/t { dconf / read, }" + +verify_binary_equality "dconf 
 write" \ + "/t { dconf / w, }" \ + "/t { dconf / write, }" +
  +verify_binary_equality "dconf read-write" \ +"/t { dconf
 / rw, }" \ +   "/t { dconf / wr, }" \ +"/t { dconf /
 readwrite, }" \ +  "/t { dconf / writeread, }" \ + "/t { dconf
 / read-write, }" \ +   "/t { dconf / write-read, }" \ +"/t { 
 dconf / read_write, }" \ + "/t { dconf / write_read, }"
> 
> BTW: I'd add another test here: "/t { dconf / r, dconf / w, }"
> 
>>> Seriously?
>>> 
>>> I have to admit that I don't really know dconf, but having 8 
>>> different ways to allow read and write (one letter vs. word, no
>>> separator vs - vs. _) is too much. We don't win anything with
>>> it, but it makes implementation of the parser and the tools
>>> more difficult than needed.
>>> 
>>> IMHO the single-letter syntax we already use in file rules 
>>> ("rw" or "wr") is enough and will save us some headache.
>> 
>> gah, no that was supposed to be cut out, notice in my intro
>> reply that I moved it back to an apparmor style syntax. I must
>> have either missed this block or missed git adding the change
>> back into the patch
> 
> Note that it's not only in the tests. The parsing code 
> (parser_lex.l) also allows "r(ead)?" and "w(rite)?", and maybe I 
> missed another place
> 
> I also just noticed another interesting bit in parser_yacc.y [1]
> 
> +   | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable implies 
> readable */ }
> 
> This sounds like surprising behaviour to me - does this really
> make sense?,If yes, this needs to be documented in bold letters or
> - IMHO better - rules with only w permissions should be rejected
> as invalid to enforce that the profile always contains rw
> permissions, not only w.
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] I should have read the patch a bit slower before writing the 
> previous mail ;-)
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWboYEAAoJEGaNijJ4Mbw+QL8IAJZn4KlJBiYmsy+NQbNd732h
be2h8oI5kh/OzH/PMaPWaJF0WJKWM78py/pHwby5Jvksptw8cpsjoEV7fl9PfoNZ
RVrJ361YsgrEq0ibtVP9i4HqV+TUOCyrw7XNdJ+aWGO9kFaSSc5pPGyr0qo6otvI
OP99BJatf3THi/Ou6qill4P+KmSMIHSHJrZmtvTHFc3wspKkkmK4wffKFgo/tBN+
gDM1Zn+CCGSqBAlTdzwIu57GPP5FB/zMx4Zn80l+wZ484QrQsktjZnVDJavoQCz3
Wb1he1V8+EQbP20LuQR43rmx1RqA8LN5NYINemsiqpxNs4eRpchvZU1QotSNCHY=
=2ka8
-END PGP SIGNATURE-
From 8378c86b0b9b602d92a78bd1dd354d34a9f6f492 Mon Sep 17 00:00:00 2001
From: William Hua 
Date: Mon, 14 Dec 2015 03:35:54 -0500
Subject: [PATCH] apparmor: add data query support

---
 security/apparmor/apparmorfs.c | 112 +++--
 security/apparmor/include/policy.h |  18 +-
 security/apparmor/policy.c |  22 
 security/apparmor/policy_unpack.c  |  63 +
 4 files changed, 209 insertions(+), 6 deletions(-)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 8afb5f6..2cd4134 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -190,6 +190,94 @@ static const struct file_operations aa_fs_profile_remove = {
 };
 
 /**
+ * query_data - queries a policy and writes its data to buf
+ * @buf: the resulting data is stored here (NOT NULL)
+ * @buf_len: size of buf
+ * @query: query string used to retrieve data
+ * @query_len: size of query including second NUL byte
+ *
+ * The buffers pointed to by buf and query may overlap. The query buffer is
+ * parsed

Re: [apparmor] [PATCH 4/4] dconf patch

2015-12-14 Thread William Hua

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Just made one minor change to make dconf rules more consistent with
other rules (parsing permissions after paths).



On 12/14/2015 04:04 AM, William Hua wrote:
> Hello,
> 
> Here is another iteration of the patch set, including the kernel
> patch from June which went stale due to upstream changes over the
> past six months. Please review these and let me know of any
> revisions required as soon as possible since the work on the dconf
> side has already begun and is currently waiting on us.
> 
> Thanks, Will
> 
> 
> 
> On 10/06/2015 03:24 PM, Christian Boltz wrote:
>> Hello,
> 
>> Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
>>> On 10/06/2015 11:05 AM, Christian Boltz wrote:
 Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
> diff --git a/parser/Makefile b/parser/Makefile index 
> 1f0db8d..ec54f96 100644 --- a/parser/Makefile +++ 
> b/parser/Makefile
>> ...
 I know that list is chaotic already (probably for historical
  reasons?), but what about sorting the HDRS files by
 alphabet? (same question for SRCS and maybe some other file
 lists in the Makefile)
>>> 
>>> yeah we can get to doing something like that, once my make file
>>>  patches land.
> 
>> Most of them are acked, so feel free to commit those ;-) I'd also
>>  accept a *.h wildcard to make maintaining the Makefile easier.
> 
>>> This is based on work William did months ago and I am only now
>>>  getting a reply out to.
> 
>> no problem ;-)
> 
> --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh
> 
> +verify_binary_equality "dconf read" \ +  "/t { dconf / r,
> }" \ +"/t { dconf / read, }" + +verify_binary_equality
> "dconf write" \ + "/t { dconf / w, }" \ + "/t { dconf /
> write, }" + +verify_binary_equality "dconf read-write" \ +
> "/t { dconf / rw, }" \ +  "/t { dconf / wr, }" \ +"/t {
> dconf / readwrite, }" \ + "/t { dconf / writeread, }" \ +
> "/t { dconf / read-write, }" \ +  "/t { dconf / write-read,
> }" \ +"/t { dconf / read_write, }" \ +"/t { dconf /
> write_read, }"
> 
>> BTW: I'd add another test here: "/t { dconf / r, dconf / w, }"
> 
 Seriously?
 
 I have to admit that I don't really know dconf, but having 8
  different ways to allow read and write (one letter vs. word,
 no separator vs - vs. _) is too much. We don't win anything
 with it, but it makes implementation of the parser and the
 tools more difficult than needed.
 
 IMHO the single-letter syntax we already use in file rules 
 ("rw" or "wr") is enough and will save us some headache.
>>> 
>>> gah, no that was supposed to be cut out, notice in my intro 
>>> reply that I moved it back to an apparmor style syntax. I must 
>>> have either missed this block or missed git adding the change 
>>> back into the patch
> 
>> Note that it's not only in the tests. The parsing code 
>> (parser_lex.l) also allows "r(ead)?" and "w(rite)?", and maybe I
>>  missed another place
> 
>> I also just noticed another interesting bit in parser_yacc.y [1]
> 
>> +   | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable
>> implies readable */ }
> 
>> This sounds like surprising behaviour to me - does this really 
>> make sense?,If yes, this needs to be documented in bold letters
>> or - IMHO better - rules with only w permissions should be
>> rejected as invalid to enforce that the profile always contains
>> rw permissions, not only w.
> 
> 
>> Regards,
> 
>> Christian Boltz
> 
>> [1] I should have read the patch a bit slower before writing the
>>  previous mail ;-)
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWbu7ZAAoJEGaNijJ4Mbw+OXQH/3mBrwqseHh0+bROwc5K4CUT
ke8NLSRm7W+yhU59XQ4R+9lsIUuqyZCJCsWz2gdDHjrq3wK/AjybIi4WAtnsZ1i1
2pXiZCNfwaBFZceMYwRztDa+jjJkyACzLfvMJ7aqP0qNF1Cq/i4ks1J/uyIGknhO
k0gysuZhRa3fBCaWDgpwLBNL12i1WdvZ6pbJPSBS8fwQdEBjER5Ha+C3Rkxona+Q
K1FrA6j6mq+b6yIBmIhAtp4T7KoZ1zlJrf8HORFgAI3UCqqHQLoX/s3gxjoRH66t
1yA4BuISHcBfKmpw/yjt+kka9N5guoXmpgHfgUN4e4UZSqlrcg49XUtDnLfAi20=
=pCp3
-END PGP SIGNATURE-
>From 8378c86b0b9b602d92a78bd1dd354d34a9f6f492 Mon Sep 17 00:00:00 2001
From: William Hua 
Date: Mon, 14 Dec 2015 03:35:54 -0500
Subject: [PATCH] apparmor: add data query support

---
 security/apparmor/apparmorfs.c | 112 +++--
 security/apparmor/include/policy.h |  18 +-
 security/apparmor/policy.c |  22 
 security/apparmor/policy_unpack.c  |  63 +
 4 files changed, 209 insertions(+), 6 deletions(-)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 8afb5f6..2cd4134 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -190,6 +190,94 @@ static const struct file_operations aa_fs_profile_remove = {
 };
 
 /**
+ * query_data - queries a policy and writes its data to buf
+ * @buf: the resulting data is stored

[apparmor] AppArmor APIs

2015-12-14 Thread Colin Ian King

Hi there,

I'm looking at writing some stress tests for AppArmor, so I'd like to
construct some simple rules and insert/remove them.  I looked for some
API documentation, but all I can find is:

http://wiki.apparmor.net/index.php/AppArmorAPIs

Are there any API docs, guides or worked examples for libaaparse and
libapparmor?

Colin

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] AppArmor APIs

2015-12-14 Thread Seth Arnold

On Mon, Dec 14, 2015 at 03:44:56PM +, Colin Ian King wrote:
> I'm looking at writing some stress tests for AppArmor, so I'd like to
> construct some simple rules and insert/remove them.  I looked for some
> API documentation, but all I can find is:
> 
> http://wiki.apparmor.net/index.php/AppArmorAPIs

Excellent, thanks!

> Are there any API docs, guides or worked examples for libaaparse and
> libapparmor?

libaaparse doesn't yet exist. There is work underway to make the
apparmor_parser suitable for use as a library but it is currently only
usable as an executable.

The simplest way to create rules, load, and unload would be something like
this:

echo "profile profile_name /attachement/specification { /rules/ r, }" | \
apparmor_parser --replace

(I always use --replace because it's idempotent. --add is not.)

echo "profile profile_name /attachment/specification { }" | \
apparmor_parser --remove

If this is too onerous for integrating into stress-ng, then the next best
starting point is probably process_profile() in parser_main.c. That
orchestrates loading either a binary blob from the cache or the compiled
profile into the kernel. Since there's extensive use of global variables
in the parser it probably still makes sense to fork off new processes for
each use as needed. (Even this seems like it might be a lot of work
compared to stealing the 'interface' code from parser_interface.c and
using that on stress-ng-supplied binary blobs.)

libapparmor is in better shape: the aa_change_hat(), aa_change_profile()
and aa_change_onexec() calls are documented in manpages in libapparmor-dev.

Thanks

signature.asc
Description: Digital signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH] parser: Honor the --namespace-string commandline option

2015-12-14 Thread Tyler Hicks

https://launchpad.net/bugs/1526085

Revno 2934 'Add fns to handle profile removal to the kernel interface'
introduced a regression in the parser's namespace support by causing the
--namespace-string option to be ignored. This resulted in the profile(s)
being loaded into the global namespace rather than the namespace
specified on the command line.

This patch fixes the bug by setting the Profile object's ns member, if
the --namespace-string option was specified, immediately after the
Profile object is allocated.

Signed-off-by: Tyler Hicks 
---

Nominated for 2.10 and trunk.

Tyler

 parser/parser_yacc.y | 22 +-
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index d17eab9..2a48367 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -318,6 +318,13 @@ profile_base: TOK_ID opt_id_or_var flags TOK_OPEN rules 
TOK_CLOSE
yyerror(_("Memory allocation error."));
}
 
+   /* Honor the --namespace-string command line option */
+   if (profile_ns) {
+   prof->ns = strdup(profile_ns);
+   if (!prof->ns)
+   yyerror(_("Memory allocation error."));
+   }
+
prof->name = $1;
prof->attachment = $2;
if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
@@ -351,12 +358,17 @@ profile:  opt_profile_flag opt_ns profile_base
if ($3->name[0] != '/' && !($1 || $2))
yyerror(_("Profile names must begin with a '/', 
namespace or keyword 'profile' or 'hat'."));
 
-   if ($2 && profile_ns) {
-   pwarn("%s: -n %s overriding policy specified namespace 
:%s:\n", progname, profile_ns, $2);
+   if (prof->ns) {
+   /**
+* Print warning if the profile specified a namespace
+* different than the one specified with the
+* --namespace-string commandline option
+*/
+   if ($2 && strcmp(prof->ns, $2)) {
+   pwarn("%s: -n %s overriding policy specified 
namespace :%s:\n",
+ progname, prof->ns, $2);
+   }
free($2);
-   prof->ns = strdup(profile_ns);
-   if (!prof->ns)
-   yyerror(_("Memory allocation error."));
} else
prof->ns = $2;
if ($1 == 2)
-- 
2.5.0


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] AppArmor APIs

Re: [apparmor] [PATCH] parser: Honor the --namespace-string commandline option

Re: [apparmor] AppArmor APIs

Re: [apparmor] [PATCH 4/4] dconf patch

Re: [apparmor] [PATCH 4/4] dconf patch

[apparmor] AppArmor APIs

Re: [apparmor] AppArmor APIs

[apparmor] [PATCH] parser: Honor the --namespace-string commandline option

8 matches

Site Navigation

Mail list logo

Footer information