[apparmor] [patch] rule class - split out common parts from is_covered()
Christian Boltz
apparmor at cboltz.de
Thu Dec 18 23:24:02 UTC 2014
Hello,
this patch splits is_covered() in capability.py into
- is_covered_localparts() for rule-specific code
- is_covered() for common code - located in __init__.py
The object type comparison now uses type(self) and a slightly different
error message to make it usable everywhere.
It also renames rule_obj to other_rule which is more self-explaining
(inspired by the parameter name in the is_covered() dummy in __init__.py).
[ rule_split_is_covered.diff ]
=== modified file 'utils/apparmor/rule/__init__.py'
--- utils/apparmor/rule/__init__.py 2014-12-16 22:17:33 +0000
+++ utils/apparmor/rule/__init__.py 2014-12-18 23:16:13 +0000
@@ -68,6 +68,29 @@
else:
return self.get_clean(depth)
+ def is_covered(self, other_rule, check_allow_deny=True, check_audit=False):
+ '''check if other_rule is covered by this rule object'''
+
+ if not type(other_rule) == type(self):
+ raise AppArmorBug('Passes %s instead of %s' % (str(other_rule),self.__class__.__name__))
+
+ if check_allow_deny and self.deny != other_rule.deny:
+ return False
+
+ if check_audit and other_rule.audit != self.audit:
+ return False
+
+ if other_rule.audit and not self.audit:
+ return False
+
+ # still here? -> then the common part is covered, check rule-specific things now
+ return self.is_covered_localvars(other_rule, check_allow_deny, check_audit)
+
+ # @abstractmethod FIXME - uncomment when python3 only
+ def is_covered_localvars(self, other_rule, check_allow_deny=True, check_audit=False):
+ '''check if the rule-specific parts of other_rule is covered by this rule object'''
+ raise AppArmorBug("'%s' needs to implement is_covered_localvars(), but didn't" % (str(self)))
+
def is_equal(self, rule_obj, strict=False):
'''compare if rule_obj == self
Calls is_equal_localvars() to compare rule-specific variables'''
@@ -85,11 +108,6 @@
return self.is_equal_localvars(rule_obj)
# @abstractmethod FIXME - uncomment when python3 only
- def is_covered(self, other_rule, check_allow_deny=True, check_audit=False):
- '''check if other_rule is covered by this rule object'''
- raise AppArmorBug("'%s' needs to implement is_covered(), but didn't" % (str(self)))
-
- # @abstractmethod FIXME - uncomment when python3 only
def is_equal_localvars(self, other_rule):
'''compare if rule-specific variables are equal'''
raise AppArmorBug("'%s' needs to implement is_equal_localvars(), but didn't" % (str(self)))
=== modified file 'utils/apparmor/rule/capability.py'
--- utils/apparmor/rule/capability.py 2014-12-16 22:17:33 +0000
+++ utils/apparmor/rule/capability.py 2014-12-18 22:50:11 +0000
@@ -95,30 +95,18 @@
else:
raise AppArmorBug("Empty capability rule")
- def is_covered(self, rule_obj, check_allow_deny=True, check_audit=False):
- '''check if rule_obj is covered by this rule object'''
-
- if not type(rule_obj) == CapabilityRule:
- raise AppArmorBug('Passes non-capability rule: %s' % str(rule_obj))
-
- if check_allow_deny and self.deny != rule_obj.deny:
- return False
+ def is_covered_localvars(self, other_rule, check_allow_deny=True, check_audit=False):
+ '''check if other_rule is covered by this rule object'''
- if not rule_obj.capability and not rule_obj.all_caps:
+ if not other_rule.capability and not other_rule.all_caps:
raise AppArmorBug('No capability specified')
if not self.all_caps:
- if rule_obj.all_caps:
+ if other_rule.all_caps:
return False
- if not rule_obj.capability.issubset(self.capability):
+ if not other_rule.capability.issubset(self.capability):
return False
- if check_audit and rule_obj.audit != self.audit:
- return False
-
- if rule_obj.audit and not self.audit:
- return False
-
# still here? -> then it is covered
return True
Regards,
Christian Boltz
--
Please resolve this as NOT A BUG and USER SHOULD HAVE MORE COFFEE BEFORE
FILING BUGS. I apologize for taking up valuable developer time!
[Jon Nelson in https://bugzilla.novell.com/show_bug.cgi?id=776271#c2]
More information about the AppArmor
mailing list