[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] [PATCH 1/6] parser: Sync mount options parsing and documentation
From: John Johansen <john.johansen () canonical ! com>
Date: 2014-12-12 11:20:50
Message-ID: 548ACF92.5070103 () canonical ! com
[Download RAW message or body]
On 12/11/2014 04:49 PM, Tyler Hicks wrote:
> There are a number of differences between what the apparmor.d(5) man
> page lists as valid AppArmor mount rule options and what apparmor_parser
> looks for when parsing mount rules. There are also typos in the man page
> and parser around mount options. Here's the breakdown of problems and
> fixes made in this patch:
>
> * The apparmor.d(5) man page improperly documented a "nodirsync"
> option.
> - That mount option does not exist and the parser did not honor it.
> Remove the mention from the apparmor.d(5) man page.
> * The loud option was typoed as "load" in both the man page and parser
> - There's no sense in preserving backwards compatibility. "load" is
> simply wrong and should not be honored. The man page and parser are
> updated to only use "loud".
> * The rbind option wasn't listed in the man page.
> - Add rbind to the man page. No change needed for the parser.
> * The documented unbindable, private, slave, and shared options were
> not correctly parsed. The parser expected
> make-{unbindable,private,slave,shared}.
> - The parser is updated to accept both the documented
> {unbindable,private,slave,shared} options and their variants
> prefixed with "make-". The man page will not document the "make-"
> variants.
> * The recursive {runbindable,rprivate,rslave,rshared} options were not
> documented and were only recognized by the parser if they were
> prefixed with "make-".
> - The man page is updated to document the option strings that are not
> prefixed with "make-". The parser still accepts the "make-"
> variants.
> * The man page documented a "rec" option but the parser didn't honor
> it. The MS_REC macro is used by the mount utility to be bitwise OR'ed
> with MS_{UNBINDABLE,PRIVATE,SLAVE,SHARED} to indicate the
> corresponding recursive mount options.
> - This is not an option that should be exposed in the AppArmor policy
> since we already allow have the
> {runbindable,rprivate,rslave,rshared} options.
> * The man page typoed the {no,}relatime options as {no,}relative.
> - The man page is updated to document the correct option strings. The
> parser requires no change.
>
> Bug: https://bugs.launchpad.net/bugs/1401619
>
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
> ---
> parser/apparmor.d.pod | 2 +-
> parser/mount.cc | 10 +++++++++-
> 2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
> index 1ac8afa..6601b90 100644
> --- a/parser/apparmor.d.pod
> +++ b/parser/apparmor.d.pod
> @@ -93,7 +93,7 @@ B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT \
> EXPRESSION> )
> B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
>
> -B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | \
> 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' \
> | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | \
> 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | \
> 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | \
> 'strictatime' | 'nouser' | 'user' ) +B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | \
> 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | \
> 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | \
> 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | \
> 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | \
> 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | \
> 'strictatime' | 'nouser' | 'user' )
> B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
>
> diff --git a/parser/mount.cc b/parser/mount.cc
> index f3a9a91..a3ab5d3 100644
> --- a/parser/mount.cc
> +++ b/parser/mount.cc
> @@ -259,16 +259,24 @@ static struct mnt_keyword_table mnt_opts_table[] = {
> {"R", MS_RBIND, 0},
> {"verbose", MS_VERBOSE, 0},
> {"silent", MS_SILENT, 0},
> - {"load", 0, MS_SILENT},
> + {"loud", 0, MS_SILENT},
> {"acl", MS_ACL, 0},
> {"noacl", 0, MS_ACL},
> + {"unbindable", MS_UNBINDABLE, 0},
> {"make-unbindable", MS_UNBINDABLE, 0},
> + {"runbindable", MS_RUNBINDABLE, 0},
> {"make-runbindable", MS_RUNBINDABLE, 0},
> + {"private", MS_PRIVATE, 0},
> {"make-private", MS_PRIVATE, 0},
> + {"rprivate", MS_RPRIVATE, 0},
> {"make-rprivate", MS_RPRIVATE, 0},
> + {"slave", MS_SLAVE, 0},
> {"make-slave", MS_SLAVE, 0},
> + {"rslave", MS_RSLAVE, 0},
> {"make-rslave", MS_RSLAVE, 0},
> + {"shared", MS_SHARED, 0},
> {"make-shared", MS_SHARED, 0},
> + {"rshared", MS_RSHARED, 0},
> {"make-rshared", MS_RSHARED, 0},
>
> {"relatime", MS_RELATIME, 0},
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic