[apparmor] [patch] [13/38] Add ANY_EXEC to FileRule

[Steve Beattie]

On Fri, Aug 12, 2016 at 10:54:09PM +0200, Christian Boltz wrote:
> aa-logprof needs to check if an exec rule for a given path exists.
> 
> This patch adds a __FileAnyExec class to FileRule, as well as ANY_EXEC
> (which should be used externally, similar to ALL), and adjusts several
> checks to allow it as a special execute mode.
> 
> This will allow to use is_covered() (or aa.py is_known_rule()) to find
> out if execute is permitted, which replaces aa.py profile_known_exec()
> in one of the following patches.
> 
> As usual, also add some tests.
> 
> [ 13-FileRule-add-ANY_EXEC.diff ]
> 
> === modified file ./utils/apparmor/rule/file.py
> --- utils/apparmor/rule/file.py	2016-02-21 15:43:58.009985520 +0100
> +++ utils/apparmor/rule/file.py	2016-02-21 16:05:39.673508607 +0100
> @@ -235,12 +242,14 @@
>              return False
>  
>          # TODO: handle fallback modes?
> -        if other_rule.exec_perms and self.exec_perms != other_rule.exec_perms:
> +        if other_rule.exec_perms == self.ANY_EXEC and self.exec_perms:
> +            pass  # avoid hitting the 'elif' branch
> +        elif other_rule.exec_perms and self.exec_perms != other_rule.exec_perms:
>              return False

Could you give a more explanatory comment than merely wanting to skip
the elif: test? Or restructure the conditionals that make it clear in
what situations we're returning False here for?

That said, that's not enough of a criticism to block my
Acked-by: Steve Beattie <steve at nxnw.org>. Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160922/05c6212a/attachment.pgp>