mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Change SignalRule to use AARE instead of plain strings

Browse source 
Also adjust test-signal.py for AARE (it needs a change in _compare_obj())
and enable the regex-based tests.


Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Christian Boltz 2015-12-09 23:23:32 +01:00
parent 441d3d2ae2
commit d2dc08e78c
2 changed files with 24 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
utils/apparmor/rule/signal.py
View file

@ -14,6 +14,7 @@
import re
from apparmor.aare import AARE
from apparmor.regex import RE_PROFILE_SIGNAL, RE_PROFILE_NAME
from apparmor.common import AppArmorBug, AppArmorException
from apparmor.rule import BaseRule, BaseRuleset, check_and_split_list, parse_modifiers, quote_if_needed
@ -98,7 +99,7 @@ class SignalRule(BaseRule):
elif type(peer) == str:
if len(peer.strip()) == 0:
raise AppArmorBug('Passed empty peer to SignalRule: %s' % str(peer))
self.peer = peer # XXX use AARE
self.peer = AARE(peer, False, log_event=log_event)
else:
raise AppArmorBug('Passed unknown object to SignalRule: %s' % str(peer))
@ -181,7 +182,7 @@ class SignalRule(BaseRule):
if self.all_peers:
peer = ''
elif self.peer:
peer = ' peer=%s' % quote_if_needed(self.peer) # XXX use AARE
peer = ' peer=%s' % quote_if_needed(self.peer.regex)
else:
raise AppArmorBug('Empty peer in signal rule')
@ -196,7 +197,7 @@ class SignalRule(BaseRule):
if not other_rule.signal and not other_rule.all_signals:
raise AppArmorBug('No signal specified in other signal rule')
if not other_rule.peer and not other_rule.all_peers: # XXX use AARE
if not other_rule.peer and not other_rule.all_peers:
raise AppArmorBug('No peer specified in other signal rule')
if not self.all_access:
@ -214,7 +215,7 @@ class SignalRule(BaseRule):
if not self.all_peers:
if other_rule.all_peers:
return False
if other_rule.peer != self.peer: # XXX use AARE
if not self.peer.match(other_rule.peer.regex):
return False
# still here? -> then it is covered
@ -234,8 +235,10 @@ class SignalRule(BaseRule):
or self.all_signals != rule_obj.all_signals):
return False
if (self.peer != rule_obj.peer # XXX switch to AARE
or self.all_peers != rule_obj.all_peers):
if self.all_peers != rule_obj.all_peers:
return False
if self.peer and not self.peer.is_equal(rule_obj.peer):
return False
return True
@ -254,7 +257,7 @@ class SignalRule(BaseRule):
if self.all_peers:
peer = _('ALL')
else:
peer = self.peer # XXX use AARE
peer = self.peer.regex
return [
_('Access mode'), access,

25
utils/test/test-signal.py
View file

@ -35,7 +35,10 @@ class SignalTest(AATest):
self.assertEqual(expected.audit, obj.audit)
self.assertEqual(expected.access, obj.access)
self.assertEqual(expected.signal, obj.signal)
self.assertEqual(expected.peer, obj.peer)
if obj.peer:
self.assertEqual(expected.peer, obj.peer.regex)
else:
self.assertEqual(expected.peer, obj.peer)
self.assertEqual(expected.all_access, obj.all_access)
self.assertEqual(expected.all_signals, obj.all_signals)
self.assertEqual(expected.all_peers, obj.all_peers)
@ -382,8 +385,8 @@ class SignalCoveredTest_07(SignalCoveredTest):
('signal,' , [ False , False , False , False ]),
('signal send,' , [ False , False , False , False ]),
('signal send peer=/foo/bar,' , [ True , True , True , True ]),
#('signal send peer=/foo/*,' , [ False , False , True , True ]), # XXX
#('signal send peer=/**,' , [ False , False , True , True ]), # XXX
('signal send peer=/foo/*,' , [ False , False , False , False ]),
('signal send peer=/**,' , [ False , False , False , False ]),
('signal send peer=/what/*,' , [ False , False , False , False ]),
('signal peer=/foo/bar,' , [ False , False , False , False ]),
('signal send, # comment' , [ False , False , False , False ]),
@ -409,19 +412,19 @@ class SignalCoveredTest_08(SignalCoveredTest):
# rule equal strict equal covered covered exact
('signal,' , [ False , False , False , False ]),
('signal send,' , [ False , False , False , False ]),
#('signal send peer=/foo/bar,' , [ False , False , True , True ]), # XXX several AARE tests
#('signal send peer=/foo/*,' , [ False , False , True , True ]),
#('signal send peer=/**,' , [ False , False , True , True ]),
#('signal send peer=/what/*,' , [ False , False , True , True ]),
('signal send peer=/foo/bar,' , [ False , False , True , True ]),
('signal send peer=/foo/*,' , [ False , False , True , True ]),
('signal send peer=/**,' , [ False , False , True , True ]),
('signal send peer=/what/*,' , [ False , False , True , True ]),
('signal peer=/foo/bar,' , [ False , False , False , False ]),
('signal send, # comment' , [ False , False , False , False ]),
('allow signal send,' , [ False , False , False , False ]),
#('allow signal send peer=/foo/bar,' , [ False , False , True , True ]),
('allow signal send peer=/foo/bar,' , [ False , False , True , True ]),
('signal send,' , [ False , False , False , False ]),
#('signal send peer=/foo/bar,' , [ False , False , True , True ]),
#('signal send peer=/what/ever,' , [ False , False , True , True ]),
('signal send peer=/foo/bar,' , [ False , False , True , True ]),
('signal send peer=/what/ever,' , [ False , False , True , True ]),
('signal send set=quit,' , [ False , False , False , False ]),
#('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]),
('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]),
('audit signal send peer=/foo/bar,' , [ False , False , False , False ]),
('audit signal,' , [ False , False , False , False ]),
('signal receive,' , [ False , False , False , False ]),