[apparmor] [PATCH 2/3] utils: Basic support for ptrace rules

Christian Boltz apparmor at cboltz.de
Sat Apr 5 18:44:12 UTC 2014 

Hello,

Am Donnerstag, 3. April 2014 schrieb Tyler Hicks:
> Bug: https://bugs.launchpad.net/bugs/1300317
> 
> This patch does bare bones parsing of ptrace rules and stores the raw
> strings for writing them out later. It is meant to be a simple change
> to prevent aa.py from emitting a traceback when encountering ptrace
> rules.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-By: Christian Boltz <apparmor at cboltz.de>
with similar complaints as in the signal patch:

> --- /dev/null
> +++ b/utils/test/test-ptrace_parse.py
...
> +class AAParsePtraceTest(unittest.TestCase):
> +
> +    def _test_parse_ptrace_rule(self, rule):
> +        ptrace = aa.parse_ptrace_rule(rule)
> +        print(ptrace.serialize())
> +        self.assertEqual(rule, ptrace.serialize(),
> +                'ptrace object returned "%s", expected "%s"' %
> (ptrace.serialize(), rule)) +
> +    def test_parse_plain_ptrace_rule(self):
> +        self._test_parse_ptrace_rule('ptrace,')
> +
> +    def test_parse_readby_ptrace_rule(self):
> +        self._test_parse_ptrace_rule('ptrace (readby),')
> +
> +    def test_parse_trace_ptrace_rule(self):
> +        self._test_parse_ptrace_rule('ptrace (trace),')
> +
> +    def test_parse_trace_read_ptrace_rule(self):
> +        self._test_parse_ptrace_rule('ptrace (trace read),')
[...]

Guess how short this code would be when using an array of rules to test 
;-)

> diff --git a/utils/test/test-regex_matches.py
> b/utils/test/test-regex_matches.py index 7096a50..3118c35 100644
> --- a/utils/test/test-regex_matches.py
> +++ b/utils/test/test-regex_matches.py

> @@ -365,6 +372,77 @@ class AARegexSignal(unittest.TestCase):
>          self.assertEqual(parsed, rule, 'Expected signal rule "%s",
> got "%s"' % (rule, parsed))
> 
> +class AARegexPtrace(unittest.TestCase):
> +    '''Tests for RE_PROFILE_PTRACE'''
> +
> +    def test_bare_ptrace_01(self):
> +        '''test '   ptrace,' '''
> +
> +        rule = 'ptrace,'
> +        line = '   %s' % rule
> +        result = aa.RE_PROFILE_PTRACE.search(line)
> +        self.assertTrue(result, 'Couldn\'t find ptrace rule in "%s"'
> % line) +        parsed = result.groups()[2].strip()
> +        self.assertEqual(parsed, rule, 'Expected ptrace rule "%s",
> got "%s"' +                         % (rule, parsed))
> +
> +    def test_bare_ptrace_02(self):
> +        '''test '   audit ptrace,' '''
> +
> +        rule = 'ptrace,'
> +        line = '   audit %s' % rule
> +        result = aa.RE_PROFILE_PTRACE.search(line)
> +        self.assertTrue(result, 'Couldn\'t find ptrace rule in "%s"'
> % line) +        self.assertTrue(result.groups()[0], 'Couldn\'t find
> audit modifier in "%s"' % line) +        parsed =
> result.groups()[2].strip()
> +        self.assertEqual(parsed, rule, 'Expected ptrace rule "%s",
> got "%s"' +                         % (rule, parsed))
> +
> +    def test_simple_ptrace_01(self):
> +        '''test '   ptrace trace,' '''
> +
> +        rule = 'ptrace trace,'
> +        line = '   %s' % rule
> +        result = aa.RE_PROFILE_PTRACE.search(line)
> +        self.assertTrue(result, 'Couldn\'t find ptrace rule in "%s"'
> % line) +        parsed = result.groups()[2].strip()
> +        self.assertEqual(parsed, rule, 'Expected ptrace rule "%s",
> got "%s"' +                         % (rule, parsed))
> +
> +    def test_simple_ptrace_02(self):
> +        '''test '   ptrace (tracedby, readby),' '''
> +
> +        rule = 'ptrace (tracedby, readby),'
> +        line = '   %s' % rule
> +        result = aa.RE_PROFILE_PTRACE.search(line)
> +        self.assertTrue(result, 'Couldn\'t find ptrace rule in "%s"'
> % line) +        parsed = result.groups()[2].strip()
> +        self.assertEqual(parsed, rule, 'Expected ptrace rule "%s",
> got "%s"' +                         % (rule, parsed))
> +
> +    def test_simple_ptrace_03(self):
> +        '''test '   audit ptrace (read),' '''
> +
> +        rule = 'ptrace (read),'
> +        line = '   audit %s' % rule
> +        result = aa.RE_PROFILE_PTRACE.search(line)
> +        self.assertTrue(result, 'Couldn\'t find ptrace rule in "%s"'
> % line) +        self.assertTrue(result.groups()[0], 'Couldn\'t find
> audit modifier in "%s"' % line) +        parsed =
> result.groups()[2].strip()
> +        self.assertEqual(parsed, rule, 'Expected ptrace rule "%s",
> got "%s"' +                         % (rule, parsed))
> +
> +    def test_peer_ptrace_01(self):
> +        '''test '   ptrace trace peer=/usr/sbin/daemon,' '''
> +
> +        rule = 'ptrace trace peer=/usr/sbin/daemon,'
> +        line = '   %s' % rule
> +        result = aa.RE_PROFILE_PTRACE.search(line)
> +        self.assertTrue(result, 'Couldn\'t find ptrace rule in "%s"'
> % line) +        parsed = result.groups()[2].strip()
> +        self.assertEqual(parsed, rule, 'Expected ptrace rule "%s",
> got "%s"' +                         % (rule, parsed))
> +
>  if __name__ == '__main__':
>      verbosity = 2

Same here - an array with the rule and the expected results would be 
much easier to handle.

Again, this can be done as follow-up patch.


Regards,

Christian Boltz
-- 
[SuSE 8.2] Auch die Paketverwaltung via YaST2 ist endlich einigermaßen
brauchbar: Du kannst ein Paket auf ein permanentes "Tabu" setzen und -
jetzt kommt die Überraschung - er überschreibt es _wirklich_ nicht! ;-)
[René Matthäi in suse-linux]

More information about the AppArmor mailing list