Mount rule parsing silently accepts unknown mount rule options
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
The parser accepts mount rule options that it doesn't know about. It sticks the string representation into the resulting DFA. I don't think this is the intended parser behavior and has resulted in confusion for profile authors (see bug #1350947).
$ echo "/t { mount options=(XXX) -> **, }" | apparmor_parser -qQD dfa-states
{1} <== (allow/
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{9} (0x 40/0/40/0)
{13} (0x 2/0/0/0)
{1} -> {2}: 0x2
{1} -> {2}: 0x4
{1} -> {3}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
{1} -> {4}: 0x34 4
{3} (0x 4/0/0/0) -> {6}: 0x0
{3} (0x 4/0/0/0) -> {5}: []
{4} -> {7}: 0x0
{5} -> {6}: 0x0
{5} -> {5}: []
{6} -> {8}: 0x0
{6} -> {6}: []
{7} -> {2}: 0x31 1
{8} -> {9}: 0x0
{8} -> {8}: []
{9} (0x 40/0/40/0) -> {10}: 0x0
{9} (0x 40/0/40/0) -> {9}: []
{10} -> {11}: 0x58 X
{11} -> {12}: 0x58 X
{12} -> {13}: 0x58 X
I think the above apparmor_parser command should fail and return an error.
Fix sent to the list:
https:/ /lists. ubuntu. com/archives/ apparmor/ 2014-December/ 006988. html