[apparmor] [Patch] utils: add limited support for af_unix rules

Thu Aug 28 20:23:10 UTC 2014

Hello,

Am Mittwoch, 27. August 2014 schrieb Steve Beattie:
> This patch adds limited support for af_unix rules in the python
> utilities, of the "don't touch them, but don't throw a python
> backtrace when coming across them, either" variety. Testcases are
> added as well.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
>  utils/apparmor/aa.py             |   27 +++++++++++++++++
>  utils/apparmor/rules.py          |   15 +++++++++
>  utils/test/test-regex_matches.py |   33 +++++++++++++++++++++
>  utils/test/test-unix_parse.py    |   59
> +++++++++++++++++++++++++++++++++++++++ 4 files changed, 133
> insertions(+), 1 deletion(-)
> 
> Index: b/utils/test/test-unix_parse.py
> ===================================================================
> --- /dev/null
> +++ b/utils/test/test-unix_parse.py
> @@ -0,0 +1,59 @@
> +#! /usr/bin/env python
> +# ------------------------------------------------------------------
> +#
> +#    Copyright (C) 2014 Canonical Ltd.
> +#
> +#    This program is free software; you can redistribute it and/or
> +#    modify it under the terms of version 2 of the GNU General Public
> +#    License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> +import apparmor.aa as aa
> +import unittest
> +
> +class AAParseUnixTest(unittest.TestCase):
> +
> +    def _test_parse_unix_rule(self, rule):
> +        unix = aa.parse_unix_rule(rule)
> +        self.assertEqual(rule, unix.serialize(),
> +                'ptrace object returned "%s", expected "%s"' %
> (unix.serialize(), rule)) +
> +    def test_parse_plain_unix_rule(self):
> +        self._test_parse_unix_rule('unix,')
> +
> +    def test_parse_r_unix_rule(self):
> +        self._test_parse_unix_rule('unix r,')
> +
> +    def test_parse_w_unix_rule(self):
> +        self._test_parse_unix_rule('unix w,')
> +
> +    def test_parse_rw_unix_rule(self):
> +        self._test_parse_unix_rule('unix rw,')
> +
> +    def test_parse_send_unix_rule(self):
> +        self._test_parse_unix_rule('unix send,')
> +
> +    def test_parse_receive_unix_rule(self):
> +        self._test_parse_unix_rule('unix receive,')
> +
> +    def test_parse_r_paren_unix_rule(self):
> +        self._test_parse_unix_rule('unix (r),')
> +
> +    def test_parse_w_paren_unix_rule(self):
> +        self._test_parse_unix_rule('unix (w),')
> +
> +    def test_parse_rw_paren_unix_rule(self):
> +        self._test_parse_unix_rule('unix (rw),')
> +
> +    def test_parse_send_paren_unix_rule(self):
> +        self._test_parse_unix_rule('unix (send),')
> +
> +    def test_parse_receive_paren_unix_rule(self):
> +        self._test_parse_unix_rule('unix (receive),')
> +    def test_parse_complex_unix_rule(self):
> +        self._test_parse_unix_rule('unix (connect, receive, send)
> type=stream peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"),')

Is it really that hard to use an array for all rules to test and a 
foreach loop to actually test them? I tend to NAK this (part of the) 
patch to make sure you finally learn this *g*

> Index: b/utils/apparmor/aa.py
> ===================================================================
> --- a/utils/apparmor/aa.py
> +++ b/utils/apparmor/aa.py
> @@ -2636,6 +2636,7 @@ RE_PROFILE_MOUNT = re.compile('^\s*(audi
> +RE_PROFILE_UNIX =
> re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(unix\s*,|unix\s+[^#]*\
> s*,)\s*(#.*)?$')

I wonder how the "full" regex will look like one day (probably a bit ;-) 
longer and more interesting than what you have now)

> Index: b/utils/apparmor/rules.py
> ===================================================================
> --- a/utils/apparmor/rules.py
> +++ b/utils/apparmor/rules.py
> @@ -44,6 +44,18 @@ class DBUS_Rule(object):
>          out += ','
>          return out
> 
> +class _Raw_Rule(object):
> +    audit = False
> +    deny = False
> +
> +    def __init__(self, rule):
> +        self.rule = rule
> +
> +    def serialize(self):
> +        return "%s%s%s" % ('audit ' if self.audit else '',
> +                           'deny '  if self.deny else '',
> +                           self.rule)
> +
>  class Raw_DBUS_Rule(object):
>      audit = False
>      deny = False
> @@ -103,3 +115,6 @@ class Raw_Pivot_Root_Rule(object):
>          return "%s%s%s" % ('audit ' if self.audit else '',
>                             'deny '  if self.deny else '',
>                             self.rule)
> +
> +class Raw_Unix_Rule(_Raw_Rule):
> +    pass

Ah, you finally made a general class for raw rules to make things 
easier. I take this as an effort to simplify the code and hope we won't 
use it too often ;-)  (and have "real" code instead)

It would probably be a good idea to replace Raw_DBUS_Rule (and all other 
Raw_*_Rule classes) with _Raw_Rule, but that's worth another patch.

In the interest of getting a beta2 tarball next week,
Acked-by: Christian Boltz <apparmor at cboltz.de>

In the interest of getting easy to maintain code, let me warn you that 
I'll NAK code like test-unix_parse.py next time.

Regards,

Christian Boltz
-- 
Eine Katze hat einen Schwanz mehr als keine Katze. Keine Katze hat
zwei Schwänze, also hat eine Katze drei Schwänze.
[Bernd Brodesser in suse-linux]