Bug#1003158: [pkg-apparmor] Bug#1003158: apparmor: tunables/home seems to have wrong order of variables

Thu, 06 Jan 2022 11:42:16 -0800 

Hello,

Am Mittwoch, 5. Januar 2022, 23:09:01 CET schrieb Karsten Hilbert:
> Unless I misunderstand apparmor profile logic it is not
> purely cosmetic. It excludes "/home/*/" from @{HOME}.

That's the difference between a human parser (you) and apparmor_parser 
;-) - you think of the profile as "code" (where order matters) while 
apparmor_parser (mostly) doesn't care about the order.

I'll try to explain how apparmor_parser works using pseudo-SQL:


Step 1: read tunables/home

    @{HOME}=@{HOMEDIRS}/*/ /root/

-> INSERT INTO variables VALUES ( '@{HOME}', '@{HOMEDIRS}/*/ /root/');

    @{HOMEDIRS}=/home/

-> INSERT INTO variables VALUES ( '@{HOMEDIRS}', '/home/');

Now we have the two variables in the variables database.
Note that @{HOME} was stored "raw", without expanding the embedded 
variable. Therefore the order of the variable declaration (or INSERT 
commands) doesn't matter.


Step 2: if a rule uses one of the variables:

    @{HOME}/foo r,

apparmor_parser: "that rule contains a variable! Let's look it up..."

-> SELECT FROM variables WHERE name='@{HOME}';
Result: @{HOMEDIRS}/*/ /root/

apparmor_parser: "oh, that contains another variable, let's look it up 
too..."
-> SELECT FROM variables WHERE name='@{HOMEDIRS}';
Result: /home/

apparmor_parser: "and now let me replace that variable in @{HOME}..."
Original: @{HOMEDIRS}/*/ /root/    # replace @{HOMEDIRS} with /home/
Result: /home/*/ /root/

apparmor_parser: "Looks good. That variable has two items, split it and 
update the rule..." (which gives us two rules, one for each variable 
item)
Result: /home/*/foo r, /root/foo r,


Does that help to understand what's going on?


Regards,

Christian Boltz

PS: The above is simplified (for example, it doesn't have "SQL" for 
    extending variables with "+="). Also, apparmor_parser doesn't use 
    SQL or a database internally - but the actual data structure/storage
    is just a technical detail you can ignore for now.
    Also, inserting the variables into the rule will give you 
    alternations (not multiple rules), but that's also just a technical 
    detail.

    One detail I didn't mention is that the replacement in step 2 is 
    that slashes get de-duplicated so that you end up with /home/*/ 
    instead of /home//*/ which you would get by blindly replacing the 
    variable.

-- 
<tampakrap> darix: I need to go, let's continue tomorrow if you have 
time
<darix> tomorrow i will be drunk or so
<tigerfoot> darix: count on me for that state :-)
[from #opensuse-admin]

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to