File perl-apparmor-properly-handle-bare-file-keyword.diff of Package apparmor

From: Jeff Mahoney <jeffm@suse.com>
Subject: perl-apparmor: Properly handle bare 'file' keyword
References: bnc#889652

The bare file keyword is a shortcut for /{**,}. There are also implied
permissions that go with it.

This patch accepts the file keyword as well as allowing for missing mode
specifiers.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---

 utils/Immunix/AppArmor.pm |   27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -5252,7 +5252,7 @@
         } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean
         } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined
         } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined
-        } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) {     # path entry
+        } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) {     # path entry
             if (not $profile) {
                 die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
             }
@@ -5260,7 +5260,19 @@
 	    my $audit = $1 ? 1 : 0;
 	    my $allow = $2 ? 'deny' : 'allow';
 	    my $user = $3 ? 1 : 0;
-            my ($path, $mode, $nt_name) = ($4, $5, $7);
+            my ($path, $mode, $nt_name) = ($5, $6, $8);
+            my $file_keyword = 0;
+            my $use_mode = 1;
+
+            if ($4 eq "file") {
+                $path = "/{**,}";
+                $file_keyword = 1;
+                if (!$mode) {
+                    # what the parser uses, but we don't care
+                    $mode = "rwixlka";
+                    $use_mode = 0;
+                }
+            }
 
             # strip off any trailing spaces.
             $path =~ s/\s+$//;
@@ -5281,6 +5293,9 @@
                 fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode));
             }
 
+	    $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode;
+	    $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword;
+
 	    my $tmpmode;
 	    if ($user) {
 		$tmpmode = str_to_mode("${mode}::");
@@ -5838,7 +5859,13 @@
 		    }
 		    $tmpmode &= ~$tmpaudit;
 		}
-		if ($tmpmode) {
+		my $kw = $profile_data->{$allow}{path}{$path}{file_keyword};
+		my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode};
+		if ($kw) {
+		    my $modestr = "";
+		    $modestr = " " . mode_to_str($tmpmode) if $use_mode;
+		    push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},";
+		} elsif ($tmpmode) {
 		    my $modestr = mode_to_str($tmpmode);
 		    if ($path =~ /\s/) {
 			push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";