diff --git a/utils/apparmor/rule/ptrace.py b/utils/apparmor/rule/ptrace.py index 0d85211d4..f7a049c34 100644 --- a/utils/apparmor/rule/ptrace.py +++ b/utils/apparmor/rule/ptrace.py @@ -135,7 +135,7 @@ class PtraceRule(BaseRule): def is_covered_localvars(self, other_rule): '''check if other_rule is covered by this rule object''' - if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): + if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): return False if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): diff --git a/utils/apparmor/rule/signal.py b/utils/apparmor/rule/signal.py index e4788c00a..ac81c8c41 100644 --- a/utils/apparmor/rule/signal.py +++ b/utils/apparmor/rule/signal.py @@ -182,10 +182,10 @@ class SignalRule(BaseRule): def is_covered_localvars(self, other_rule): '''check if other_rule is covered by this rule object''' - if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): + if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): return False - if not self._is_covered_plain(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'): + if not self._is_covered_list(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'): return False if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): diff --git a/utils/test/test-ptrace.py b/utils/test/test-ptrace.py index 3258db49b..fdb167b24 100644 --- a/utils/test/test-ptrace.py +++ b/utils/test/test-ptrace.py @@ -380,6 +380,37 @@ class PtraceCoveredTest_07(PtraceCoveredTest): ('deny ptrace read,' , [ False , False , False , False ]), ] +class PtraceCoveredTest_08(PtraceCoveredTest): + rule = 'ptrace (trace, tracedby) peer=/foo/*,' + + tests = [ + # rule equal strict equal covered covered exact + ('ptrace,' , [ False , False , False , False ]), + ('ptrace trace,' , [ False , False , False , False ]), + ('ptrace (tracedby, trace),' , [ False , False , False , False ]), + ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace (tracedby trace) peer=/foo/bar,',[ False , False , True , True ]), + ('ptrace (tracedby, trace) peer=/foo/*,', [ True , False , True , True ]), + ('ptrace tracedby peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace trace peer=/foo/*,' , [ False , False , True , True ]), + ('ptrace trace peer=/**,' , [ False , False , False , False ]), + ('ptrace trace peer=/what/*,' , [ False , False , False , False ]), + ('ptrace peer=/foo/bar,' , [ False , False , False , False ]), + ('ptrace trace, # comment' , [ False , False , False , False ]), + ('allow ptrace trace,' , [ False , False , False , False ]), + ('allow ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace trace,' , [ False , False , False , False ]), + ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace trace peer=/what/ever,' , [ False , False , False , False ]), + ('audit ptrace trace peer=/foo/bar,' , [ False , False , False , False ]), + ('audit ptrace,' , [ False , False , False , False ]), + ('ptrace tracedby,' , [ False , False , False , False ]), + ('audit deny ptrace trace,' , [ False , False , False , False ]), + ('deny ptrace trace,' , [ False , False , False , False ]), + ] + + + class PtraceCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_1(self): obj = PtraceRule.parse('ptrace read peer=/foo,') diff --git a/utils/test/test-signal.py b/utils/test/test-signal.py index 0fd3f71eb..73ef10358 100644 --- a/utils/test/test-signal.py +++ b/utils/test/test-signal.py @@ -433,6 +433,41 @@ class SignalCoveredTest_08(SignalCoveredTest): ('deny signal send,' , [ False , False , False , False ]), ] +class SignalCoveredTest_09(SignalCoveredTest): + rule = 'signal (send, receive) set=(int, quit),' + + tests = [ + # rule equal strict equal covered covered exact + ('signal,' , [ False , False , False , False ]), + ('signal send,' , [ False , False , False , False ]), + ('signal send set=int,' , [ False , False , True , True ]), + ('signal receive set=quit,' , [ False , False , True , True ]), + ('signal (receive,send) set=int,' , [ False , False , True , True ]), + ('signal (receive,send) set=(int quit),',[True , False , True , True ]), + ('signal send set=(quit int),' , [ False , False , True , True ]), + ('signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send peer=/foo/*,' , [ False , False , False , False ]), + ('signal send peer=/**,' , [ False , False , False , False ]), + ('signal send peer=/what/*,' , [ False , False , False , False ]), + ('signal peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send, # comment' , [ False , False , False , False ]), + ('allow signal send,' , [ False , False , False , False ]), + ('allow signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send,' , [ False , False , False , False ]), + ('signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send peer=/what/ever,' , [ False , False , False , False ]), + ('signal send set=quit,' , [ False , False , True , True ]), + ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]), + ('audit signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('audit signal,' , [ False , False , False , False ]), + ('signal receive,' , [ False , False , False , False ]), + ('signal set=int,' , [ False , False , False , False ]), + ('audit deny signal send,' , [ False , False , False , False ]), + ('deny signal send,' , [ False , False , False , False ]), + ] + + + class SignalCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_1(self): obj = SignalRule.parse('signal send peer=/foo,')