> It is too bad that all of the
> profiles have to be fully parsed just to use basic utilities that don't
> necessarily care about the rules inside of a profile.
The main problem is that we allow "random" filenames for the profiles,
so we need to check all files for the to-be-changed profile - but you
probably already know that.
Yes, in theory we could just parse the headers and ignore the profile
content, but that would mean that we need a (simplified, but still) copy
of the profile parsing code.
> While not perfect, I think this is a better approach than refusing to
> parse valid profiles that have existed for quite a few years. What do
> you think?
I'm not the biggest fan of this workaround. Having the tools error out
on invalid rules like your example would be much better - especially
because such a rule will automagically be changed when saving the
profile without any warning. Nevertheless, replacing "break the tools
completely" with "unexpected bevaviour on invalid rules" still is a
small improvement.
FYI: FileRule accepts the permissions in any order, so maybe you could
look at how it's done there. (Needless to say that having a list of
possible permissions is easier to handle, but maybe it helps
nevertheless.)
Please don't forget to run "make check" for the utils ;-)
BTW: Does your patch also work for something like
dbus bus=session bind bus=system,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1628286
Title:
[utils] DBus rules enforce stricter ordering of dbus attributes
Status in AppArmor:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Won't Fix
Bug description:
The DBus rules data strutures added recently (after the 2.10.95 beta 1
release) include a more strcit interpretation of dbus attribute
ordering than before and is more strict than the parser:
[parser]$ cat /tmp/aa-test-dir/test.profile
profile t /t {
dbus (receive, send) path=/com/canonical/UbuntuAppLaunch/* bus=session,
}
[parser]$ ./apparmor_parser -QK -d /tmp/aa-test-dir/test.profile
----- Debugging built structures -----
Name: t
Profile Mode: Enforce
dbus ( send receive ) bus="session" path="/com/canonical/UbuntuAppLaunch/*",
[parser]$ ./apparmor_parser --version
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.
[parser]$ cd ../utils/
[utils]$ PYTHONPATH=. python3 ./aa-logprof -d /tmp/aa-test-dir
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /tmp/aa-test-dir.
ERROR: Invalid or unknown keywords in 'dbus (receive, send)
path=/com/canonical/UbuntuAppLaunch/* bus=session
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1628286/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
