[apparmor] [PATCH v2] utils: Basic support for bare capability rules

Steve Beattie steve at nxnw.org
Thu Mar 20 18:07:30 UTC 2014 

On Thu, Mar 20, 2014 at 12:30:56PM -0500, Tyler Hicks wrote:
> Bug: https://bugs.launchpad.net/bugs/1294819
> 
> This patch as minimal support for bare capability rules ("capability,").
> It prevents aa.py from emitting a traceback when encountering such a
> rule.
> 
> It only adds the ability to parse and write the bare rule. It doesn't
> attempt to be clever when deleting duplicate rules, such as realizing
> that "capability audit_control," can be deleted if "capability," is also
> present.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>
> ---
> 
> * Changes since v1:
>   - Added a todo for deleting duplicates when a bare capability rule is
>     present
>   - Changed the RE_PROFILE_CAP to enforce whitespace between the
>     capability rule identifier and the capability name.

Ah yes, I'd noticed that when I first reviewed the patch, but forgot
about it while fighting with other external issues while testing your
patch.

>   - Use strip() on the capability name string
>   - Made adjustments to serialize_profile_from_old_profile() in order to
>     handle the new RE_PROFILE_CAP regex

Right, this was the function I was confused about when adding dbus
rules.

Anyway, re-iterating my ack for this patch. Also, I added a token few
testcases (if we come up with more, we can restructure this a bit):

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 utils/test/test-regex_matches.py |   45 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

Index: b/utils/test/test-regex_matches.py
===================================================================
--- a/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@@ -110,6 +110,50 @@ def setup_split_comment_testcases():
         stub_test.__doc__ = "test '%s'" % (test_string)
         setattr(AARegexSplitComment, 'test_split_comment_%d' % (i), stub_test)
 
+class AARegexCapability(unittest.TestCase):
+    '''Tests for RE_PROFILE_CAP'''
+
+    def test_simple_capability_01(self):
+        '''test '   capability net_raw,' '''
+
+        line = '   capability net_raw,'
+        result = aa.RE_PROFILE_CAP.search(line)
+        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+        cap = result.groups()[2].strip()
+        self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
+                         % ('net_raw', cap))
+
+    def test_simple_capability_02(self):
+        '''test '   capability net_raw   ,  ' '''
+
+        line = 'capability     net_raw   ,  '
+        result = aa.RE_PROFILE_CAP.search(line)
+        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+        cap = result.groups()[2].strip()
+        self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
+                         % ('net_raw', cap))
+
+    def test_capability_all_01(self):
+        '''test '   capability,' '''
+
+        line = '   capability,'
+        result = aa.RE_PROFILE_CAP.search(line)
+        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+
+    def test_capability_all_02(self):
+        '''test '   capability   ,  ' '''
+
+        line = '   capability   ,  '
+        result = aa.RE_PROFILE_CAP.search(line)
+        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+
+    def test_simple_bad_capability_01(self):
+        '''test '   capabilitynet_raw,' '''
+
+        line = '   capabilitynet_raw,'
+        result = aa.RE_PROFILE_CAP.search(line)
+        self.assertFalse(result, 'Found unexpected capability rule in "%s"' % line)
+
 if __name__ == '__main__':
     verbosity = 2
 
@@ -119,6 +163,7 @@ if __name__ == '__main__':
     test_suite = unittest.TestSuite()
     test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexHasComma))
     test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexSplitComment))
+    test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexCapability))
     result = unittest.TextTestRunner(verbosity=verbosity).run(test_suite)
     if not result.wasSuccessful():
         exit(1)

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140320/950d7332/attachment.pgp>

More information about the AppArmor mailing list