[apparmor] [patch] update aa.py is_skippable_file() according to libapparmor

Sat Dec 6 21:19:20 UTC 2014

Hello,

this patch updates is_skippable_file() to match all extensions that are
listed in  libapparmor _aa_is_blacklisted() - some extensions were 
missing in the python code.

Also make the code more readable - even if it merges 4 re.search() into
one, and add some testcases.

Notes:
- the original code additionally ignored *.swp. I didn't include that -
  *.swp looks like vim swap files which are also dot files
- the python code ignores README files, but the C code doesn't
  (do we need to add README in the C code?)



[ is_skippable_file.diff ]

=== modified file 'utils/apparmor/aa.py'

--- utils/apparmor/aa.py        2014-11-29 12:40:10 +0000
+++ utils/apparmor/aa.py        2014-12-06 21:12:49 +0000
@@ -2546,13 +2546,16 @@
         else:
             return False
 
-# rpm backup files, dotfiles, emacs backup files should not be processed
-# The skippable files type needs be synced with apparmor initscript
 def is_skippable_file(path):
-    """Returns True if filename matches something to be skipped"""
-    if (re.search('(^|/)\.[^/]*$', path) or re.search('\.rpm(save|new)$', path)
-            or re.search('\.dpkg-(old|new)$', path) or re.search('\.swp$', path)
-            or path[-1] == '~' or path == 'README'):
+    """Returns True if filename matches something to be skipped (rpm or dpkg backup files, hidden files etc.)
+        The list of skippable files needs to be synced with apparmor initscript and libapparmor _aa_is_blacklisted()
+        path: filename (without directory)"""
+
+    skippable_suffix = '(\.dpkg-new|\.dpkg-old|\.dpkg-dist|\.dpkg-bak|\.rpmnew|\.rpmsave|\.orig|\.rej|~)$'
+    skippable_files  = '^(.*/)?(README|\.[^/]*|)$'  # README, dot files and empty filename
+    skippable_all    = '%s|%s' % (skippable_suffix, skippable_files)
+
+    if re.search(skippable_all, path):
         return True
 
 def is_skippable_dir(path):

=== modified file 'utils/test/test-aa.py'
--- utils/test/test-aa.py       2014-11-27 22:20:26 +0000
+++ utils/test/test-aa.py       2014-12-06 21:06:15 +0000
@@ -15,7 +15,7 @@
 import tempfile
 from common_test import write_file
 
-from apparmor.aa import check_for_apparmor
+from apparmor.aa import check_for_apparmor, is_skippable_file
 
 class AaTest_check_for_apparmor(unittest.TestCase):
     FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
@@ -70,6 +70,48 @@
         mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
         self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))
 
+class AaTest_is_skippable_file(unittest.TestCase):
+    def test_not_skippable_01(self):
+        self.assertFalse(is_skippable_file('bin.ping'))
+    def test_not_skippable_02(self):
+        self.assertFalse(is_skippable_file('usr.lib.dovecot.anvil'))
+    def test_not_skippable_03(self):
+        self.assertFalse(is_skippable_file('bin.~ping'))
+    def test_not_skippable_04(self):
+        self.assertFalse(is_skippable_file('bin.rpmsave.ping'))
+    def test_not_skippable_05(self):
+        # normally is_skippable_file should be called without directory, but it shouldn't hurt too much
+        self.assertFalse(is_skippable_file('/etc/apparmor.d/bin.ping'))
+    def test_not_skippable_06(self):
+        self.assertFalse(is_skippable_file('bin.pingrej'))
+
+    def test_skippable_01(self):
+        self.assertTrue(is_skippable_file('bin.ping.dpkg-new'))
+    def test_skippable_02(self):
+        self.assertTrue(is_skippable_file('bin.ping.dpkg-old'))
+    def test_skippable_03(self):
+        self.assertTrue(is_skippable_file('bin.ping..dpkg-dist'))
+    def test_skippable_04(self):
+        self.assertTrue(is_skippable_file('bin.ping..dpkg-bak'))
+    def test_skippable_05(self):
+        self.assertTrue(is_skippable_file('bin.ping.rpmnew'))
+    def test_skippable_06(self):
+        self.assertTrue(is_skippable_file('bin.ping.rpmsave'))
+    def test_skippable_07(self):
+        self.assertTrue(is_skippable_file('bin.ping.orig'))
+    def test_skippable_08(self):
+        self.assertTrue(is_skippable_file('bin.ping.rej'))
+    def test_skippable_09(self):
+        self.assertTrue(is_skippable_file('bin.ping~'))
+    def test_skippable_10(self):
+        self.assertTrue(is_skippable_file('.bin.ping'))
+    def test_skippable_11(self):
+        self.assertTrue(is_skippable_file(''))  # empty filename
+    def test_skippable_12(self):
+        self.assertTrue(is_skippable_file('/etc/apparmor.d/'))  # directory without filename
+    def test_skippable_13(self):
+        self.assertTrue(is_skippable_file('README'))
+
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)


Regards,

Christian Boltz
-- 
Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version
bestimmen können... ;)        [Patrick Ben Koetter in postfixbuch-users]


