rule class - split out common parts from is_covered()

Split is_covered() in capability.py into - is_covered_localparts() for rule-specific code - is_covered() for common code - located in __init__.py The object type comparison now uses type(self) and a slightly different error message to make it usable everywhere. Also rename rule_obj to other_rule which is more self-explaining (inspired by the parameter name in the is_covered() dummy in __init__.py). v2: - remove check_allow_deny and check_audit parameters from is_covered_localvars() Acked-by: Steve Beattie <steve@nxnw.org>
2025-03-04 16:35:02 +01:00 · 2015-01-16 14:59:49 +01:00 · 2015-01-16 14:59:49 +01:00 · 60b05ab1b9
commit 60b05ab1b9
parent 7085b53583
2 changed files with 28 additions and 22 deletions
--- a/utils/apparmor/rule/init.py
+++ b/utils/apparmor/rule/init.py
@ -68,6 +68,29 @@ class BaseRule(object):
        else:
            return self.get_clean(depth)

+    def is_covered(self, other_rule, check_allow_deny=True, check_audit=False):
+        '''check if other_rule is covered by this rule object'''
+
+        if not type(other_rule) == type(self):
+            raise AppArmorBug('Passes %s instead of %s' % (str(other_rule),self.__class__.__name__))
+
+        if check_allow_deny and self.deny != other_rule.deny:
+            return False
+
+        if check_audit and other_rule.audit != self.audit:
+            return False
+
+        if other_rule.audit and not self.audit:
+            return False
+
+        # still here? -> then the common part is covered, check rule-specific things now
+        return self.is_covered_localvars(other_rule)
+
+    # @abstractmethod  FIXME - uncomment when python3 only
+    def is_covered_localvars(self, other_rule):
+        '''check if the rule-specific parts of other_rule is covered by this rule object'''
+        raise AppArmorBug("'%s' needs to implement is_covered_localvars(), but didn't" % (str(self)))
+
    def is_equal(self, rule_obj, strict=False):
        '''compare if rule_obj == self
           Calls is_equal_localvars() to compare rule-specific variables'''
@ -84,11 +107,6 @@ class BaseRule(object):

        return self.is_equal_localvars(rule_obj)

-    # @abstractmethod  FIXME - uncomment when python3 only
-    def is_covered(self, other_rule, check_allow_deny=True, check_audit=False):
-        '''check if other_rule is covered by this rule object'''
-        raise AppArmorBug("'%s' needs to implement is_covered(), but didn't" % (str(self)))
-
    # @abstractmethod  FIXME - uncomment when python3 only
    def is_equal_localvars(self, other_rule):
        '''compare if rule-specific variables are equal'''
--- a/utils/apparmor/rule/capability.py
+++ b/utils/apparmor/rule/capability.py
@ -95,28 +95,16 @@ class CapabilityRule(BaseRule):
            else:
                raise AppArmorBug("Empty capability rule")

-    def is_covered(self, rule_obj, check_allow_deny=True, check_audit=False):
-        '''check if rule_obj is covered by this rule object'''
+    def is_covered_localvars(self, other_rule):
+        '''check if other_rule is covered by this rule object'''

-        if not type(rule_obj) == CapabilityRule:
-            raise AppArmorBug('Passes non-capability rule: %s' % str(rule_obj))
-
-        if check_allow_deny and self.deny != rule_obj.deny:
-            return False
-
-        if not rule_obj.capability and not rule_obj.all_caps:
+        if not other_rule.capability and not other_rule.all_caps:
            raise AppArmorBug('No capability specified')

        if not self.all_caps:
-            if rule_obj.all_caps:
+            if other_rule.all_caps:
                return False
-            if not rule_obj.capability.issubset(self.capability):
-                return False
-
-        if check_audit and rule_obj.audit != self.audit:
-            return False
-
-        if rule_obj.audit and not self.audit:
+            if not other_rule.capability.issubset(self.capability):
                return False

        # still here? -> then it is covered