mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use list check in PtraceRule and SignalRule is_covered_localvars()

Browse source 
PtraceRule 'access' and SignalRule 'access' and 'signal' can contain
more than one value. Therefore adjust is_covered_localvars() in both
to use the list (subset) instead of the plain (exactly equal) check.

Also add a testcase for each to ensure the list/subset check works as
expected.


Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz 2016-01-25 23:40:52 +01:00
parent 3519ef38a9
commit 52e76efea7
4 changed files with 69 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
utils/apparmor/rule/ptrace.py
View file

@ -135,7 +135,7 @@ class PtraceRule(BaseRule):
def is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
return False
if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):

4
utils/apparmor/rule/signal.py
View file

@ -182,10 +182,10 @@ class SignalRule(BaseRule):
def is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
return False
if not self._is_covered_plain(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'):
if not self._is_covered_list(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'):
return False
if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):

31
utils/test/test-ptrace.py
View file

@ -380,6 +380,37 @@ class PtraceCoveredTest_07(PtraceCoveredTest):
('deny ptrace read,' , [ False , False , False , False ]),
]
class PtraceCoveredTest_08(PtraceCoveredTest):
rule = 'ptrace (trace, tracedby) peer=/foo/*,'
tests = [
# rule equal strict equal covered covered exact
('ptrace,' , [ False , False , False , False ]),
('ptrace trace,' , [ False , False , False , False ]),
('ptrace (tracedby, trace),' , [ False , False , False , False ]),
('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]),
('ptrace (tracedby trace) peer=/foo/bar,',[ False , False , True , True ]),
('ptrace (tracedby, trace) peer=/foo/*,', [ True , False , True , True ]),
('ptrace tracedby peer=/foo/bar,' , [ False , False , True , True ]),
('ptrace trace peer=/foo/*,' , [ False , False , True , True ]),
('ptrace trace peer=/**,' , [ False , False , False , False ]),
('ptrace trace peer=/what/*,' , [ False , False , False , False ]),
('ptrace peer=/foo/bar,' , [ False , False , False , False ]),
('ptrace trace, # comment' , [ False , False , False , False ]),
('allow ptrace trace,' , [ False , False , False , False ]),
('allow ptrace trace peer=/foo/bar,' , [ False , False , True , True ]),
('ptrace trace,' , [ False , False , False , False ]),
('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]),
('ptrace trace peer=/what/ever,' , [ False , False , False , False ]),
('audit ptrace trace peer=/foo/bar,' , [ False , False , False , False ]),
('audit ptrace,' , [ False , False , False , False ]),
('ptrace tracedby,' , [ False , False , False , False ]),
('audit deny ptrace trace,' , [ False , False , False , False ]),
('deny ptrace trace,' , [ False , False , False , False ]),
]
class PtraceCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_1(self):
obj = PtraceRule.parse('ptrace read peer=/foo,')

35
utils/test/test-signal.py
View file

@ -433,6 +433,41 @@ class SignalCoveredTest_08(SignalCoveredTest):
('deny signal send,' , [ False , False , False , False ]),
]
class SignalCoveredTest_09(SignalCoveredTest):
rule = 'signal (send, receive) set=(int, quit),'
tests = [
# rule equal strict equal covered covered exact
('signal,' , [ False , False , False , False ]),
('signal send,' , [ False , False , False , False ]),
('signal send set=int,' , [ False , False , True , True ]),
('signal receive set=quit,' , [ False , False , True , True ]),
('signal (receive,send) set=int,' , [ False , False , True , True ]),
('signal (receive,send) set=(int quit),',[True , False , True , True ]),
('signal send set=(quit int),' , [ False , False , True , True ]),
('signal send peer=/foo/bar,' , [ False , False , False , False ]),
('signal send peer=/foo/*,' , [ False , False , False , False ]),
('signal send peer=/**,' , [ False , False , False , False ]),
('signal send peer=/what/*,' , [ False , False , False , False ]),
('signal peer=/foo/bar,' , [ False , False , False , False ]),
('signal send, # comment' , [ False , False , False , False ]),
('allow signal send,' , [ False , False , False , False ]),
('allow signal send peer=/foo/bar,' , [ False , False , False , False ]),
('signal send,' , [ False , False , False , False ]),
('signal send peer=/foo/bar,' , [ False , False , False , False ]),
('signal send peer=/what/ever,' , [ False , False , False , False ]),
('signal send set=quit,' , [ False , False , True , True ]),
('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]),
('audit signal send peer=/foo/bar,' , [ False , False , False , False ]),
('audit signal,' , [ False , False , False , False ]),
('signal receive,' , [ False , False , False , False ]),
('signal set=int,' , [ False , False , False , False ]),
('audit deny signal send,' , [ False , False , False , False ]),
('deny signal send,' , [ False , False , False , False ]),
]
class SignalCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_1(self):
obj = SignalRule.parse('signal send peer=/foo,')