[apparmor] [patch] Change SignalRule to use AARE instead of plain strings
Christian Boltz
apparmor at cboltz.de
Fri Dec 4 17:17:23 UTC 2015
Hello,
Am Montag, 16. November 2015 schrieb Christian Boltz:
> Am Samstag, 24. Oktober 2015 schrieb Christian Boltz:
> > $subject.
> >
> > Also adjust test-signal for AARE (it needed a change in
> > _compare_obj()) and enable the regex-based tests.
>
> Here's v2. with the following changes:
> - hand over log_event when creating the AARE object
> - use self.peer.is_equal() instead of comparing .regex
>
>
> [ 16-signal-rule-use-aare.diff ]
Just a reminder: this patch and the previous one that introduces the
AARE class are basically acked-by <timeout>. However, I'd like to get
them reviewed - especially the AARE class because that will be used in
several rule classes.
Nevertheless, I'll add the usual warning:
If nobody objects, I'll commit the patches
- 15-aare-class-and-tests.diff and
- 16-signal-rule-use-aare.diff (= this one)
on Wednesday as Acked-by <timeout>.
Sidenote: Thanks to some changes caused by other, already commited
patches, the patch below doesn't apply cleanly anymore. You'll need to
s/all_accesss/all_access/g to fix that ;-)
> === modified file ./utils/apparmor/rule/signal.py
> --- utils/apparmor/rule/signal.py 2015-11-16 21:26:38.034344249
> +0100 +++ utils/apparmor/rule/signal.py 2015-11-16
> 21:32:54.104210992 +0100 @@ -14,6 +14,7 @@
>
> import re
>
> +from apparmor.aare import AARE
> from apparmor.regex import RE_PROFILE_SIGNAL, RE_PROFILE_NAME
> from apparmor.common import AppArmorBug, AppArmorException
> from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers,
> quote_if_needed @@ -98,7 +99,7 @@
> elif type(peer) == str:
> if len(peer.strip()) == 0:
> raise AppArmorBug('Passed empty peer to SignalRule:
> %s' % str(peer)) - self.peer = peer # XXX use AARE
> + self.peer = AARE(peer, False, log_event=log_event)
> else:
> raise AppArmorBug('Passed unknown object to SignalRule:
> %s' % str(peer))
>
> @@ -182,7 +183,7 @@
> if self.all_peers:
> peer = ''
> elif self.peer:
> - peer = ' peer=%s' % quote_if_needed(self.peer) # XXX use
> AARE + peer = ' peer=%s' %
> quote_if_needed(self.peer.regex) else:
> raise AppArmorBug('Empty signal in signal rule')
>
> @@ -197,7 +198,7 @@
> if not other_rule.signal and not other_rule.all_signals:
> raise AppArmorBug('No signal specified in other signal
> rule')
>
> - if not other_rule.peer and not other_rule.all_peers: # XXX
> use AARE + if not other_rule.peer and not
> other_rule.all_peers: raise AppArmorBug('No peer specified in other
> signal rule')
>
> if not self.all_accesss:
> @@ -215,7 +216,7 @@
> if not self.all_peers:
> if other_rule.all_peers:
> return False
> - if other_rule.peer != self.peer: # XXX use AARE
> + if not self.peer.match(other_rule.peer.regex):
> return False
>
> # still here? -> then it is covered
> @@ -235,8 +236,10 @@
> or self.all_signals != rule_obj.all_signals):
> return False
>
> - if (self.peer != rule_obj.peer # XXX switch to AARE
> - or self.all_peers != rule_obj.all_peers):
> + if self.all_peers != rule_obj.all_peers:
> + return False
> +
> + if self.peer and not self.peer.is_equal(rule_obj.peer):
> return False
>
> return True
> @@ -255,7 +258,7 @@
> if self.all_peers:
> peer = _('ALL')
> else:
> - peer = self.peer # XXX use AARE
> + peer = self.peer.regex
>
> return [
> _('Access mode'), access,
> === modified file ./utils/test/test-signal.py
> --- utils/test/test-signal.py 2015-11-16 21:26:38.034344249 +0100
> +++ utils/test/test-signal.py 2015-11-16 00:14:05.371336371 +0100
> @@ -35,7 +35,10 @@
> self.assertEqual(expected.audit, obj.audit)
> self.assertEqual(expected.access, obj.access)
> self.assertEqual(expected.signal, obj.signal)
> - self.assertEqual(expected.peer, obj.peer)
> + if obj.peer:
> + self.assertEqual(expected.peer, obj.peer.regex)
> + else:
> + self.assertEqual(expected.peer, obj.peer)
> self.assertEqual(expected.all_accesss, obj.all_accesss)
> self.assertEqual(expected.all_signals, obj.all_signals)
> self.assertEqual(expected.all_peers, obj.all_peers)
> @@ -386,8 +389,8 @@
> ('signal,' , [ False , False
> , False , False ]), ('signal send,'
> , [ False , False , False , False ]), ('signal send
> peer=/foo/bar,' , [ True , True , True ,
> True ]), - #('signal send peer=/foo/*,' , [
> False , False , True , True ]), # XXX -
> #('signal send peer=/**,' , [ False , False ,
> True , True ]), # XXX + ('signal send peer=/foo/*,'
> , [ False , False , False , False ]), +
> ('signal send peer=/**,' , [ False , False
> , False , False ]), ('signal send peer=/what/*,' , [
> False , False , False , False ]), ('signal
> peer=/foo/bar,' , [ False , False , False
> , False ]), ('signal send, # comment' , [ False ,
> False , False , False ]), @@ -413,19 +416,19 @@
> # rule equal strict
> equal covered covered exact ('signal,'
> , [ False , False , False , False ]), ('signal
> send,' , [ False , False , False
> , False ]), - #('signal send peer=/foo/bar,' , [
> False , False , True , True ]), # XXX several
> AARE tests - #('signal send peer=/foo/*,' , [ False
> , False , True , True ]), - #('signal send
> peer=/**,' , [ False , False , True ,
> True ]), - #('signal send peer=/what/*,' , [
> False , False , True , True ]), + ('signal
> send peer=/foo/bar,' , [ False , False , True
> , True ]), + ('signal send peer=/foo/*,' , [
> False , False , True , True ]), + ('signal
> send peer=/**,' , [ False , False , True
> , True ]), + ('signal send peer=/what/*,' , [
> False , False , True , True ]), ('signal
> peer=/foo/bar,' , [ False , False , False
> , False ]), ('signal send, # comment' , [ False ,
> False , False , False ]), ('allow signal send,'
> , [ False , False , False , False ]), -
> #('allow signal send peer=/foo/bar,' , [ False , False
> , True , True ]), + ('allow signal send
> peer=/foo/bar,' , [ False , False , True , True
> ]), ('signal send,' , [ False , False
> , False , False ]), - #('signal send peer=/foo/bar,'
> , [ False , False , True , True ]), -
> #('signal send peer=/what/ever,' , [ False , False ,
> True , True ]), + ('signal send peer=/foo/bar,'
> , [ False , False , True , True ]), +
> ('signal send peer=/what/ever,' , [ False , False ,
> True , True ]), ('signal send set=quit,' , [
> False , False , False , False ]), - #('signal
> send set=int peer=/foo/bar,' , [ False , False , True
> , True ]), + ('signal send set=int peer=/foo/bar,' , [
> False , False , True , True ]), ('audit signal
> send peer=/foo/bar,' , [ False , False , False ,
> False ]), ('audit signal,' , [ False ,
> False , False , False ]), ('signal receive,'
> , [ False , False , False , False ]),
>
>
>
> Regards,
>
> Christian Boltz
Regards,
Christian Boltz
--
you could be correct in that bugzilla may not be useful in predicting
either when the bug will be resolved, or the weather next month.
so, maybe subscribe to [opensuse-crystal_ball] is the best bet.
[DenverD in opensuse-factory]
More information about the AppArmor
mailing list