[apparmor] [PATCH v2] utils: Basic support for bare capability rules
Steve Beattie
steve at nxnw.org
Thu Mar 20 18:07:30 UTC 2014
On Thu, Mar 20, 2014 at 12:30:56PM -0500, Tyler Hicks wrote:
> Bug: https://bugs.launchpad.net/bugs/1294819
>
> This patch as minimal support for bare capability rules ("capability,").
> It prevents aa.py from emitting a traceback when encountering such a
> rule.
>
> It only adds the ability to parse and write the bare rule. It doesn't
> attempt to be clever when deleting duplicate rules, such as realizing
> that "capability audit_control," can be deleted if "capability," is also
> present.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>
> ---
>
> * Changes since v1:
> - Added a todo for deleting duplicates when a bare capability rule is
> present
> - Changed the RE_PROFILE_CAP to enforce whitespace between the
> capability rule identifier and the capability name.
Ah yes, I'd noticed that when I first reviewed the patch, but forgot
about it while fighting with other external issues while testing your
patch.
> - Use strip() on the capability name string
> - Made adjustments to serialize_profile_from_old_profile() in order to
> handle the new RE_PROFILE_CAP regex
Right, this was the function I was confused about when adding dbus
rules.
Anyway, re-iterating my ack for this patch. Also, I added a token few
testcases (if we come up with more, we can restructure this a bit):
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
utils/test/test-regex_matches.py | 45 +++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
Index: b/utils/test/test-regex_matches.py
===================================================================
--- a/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@@ -110,6 +110,50 @@ def setup_split_comment_testcases():
stub_test.__doc__ = "test '%s'" % (test_string)
setattr(AARegexSplitComment, 'test_split_comment_%d' % (i), stub_test)
+class AARegexCapability(unittest.TestCase):
+ '''Tests for RE_PROFILE_CAP'''
+
+ def test_simple_capability_01(self):
+ '''test ' capability net_raw,' '''
+
+ line = ' capability net_raw,'
+ result = aa.RE_PROFILE_CAP.search(line)
+ self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+ cap = result.groups()[2].strip()
+ self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
+ % ('net_raw', cap))
+
+ def test_simple_capability_02(self):
+ '''test ' capability net_raw , ' '''
+
+ line = 'capability net_raw , '
+ result = aa.RE_PROFILE_CAP.search(line)
+ self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+ cap = result.groups()[2].strip()
+ self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
+ % ('net_raw', cap))
+
+ def test_capability_all_01(self):
+ '''test ' capability,' '''
+
+ line = ' capability,'
+ result = aa.RE_PROFILE_CAP.search(line)
+ self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+
+ def test_capability_all_02(self):
+ '''test ' capability , ' '''
+
+ line = ' capability , '
+ result = aa.RE_PROFILE_CAP.search(line)
+ self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
+
+ def test_simple_bad_capability_01(self):
+ '''test ' capabilitynet_raw,' '''
+
+ line = ' capabilitynet_raw,'
+ result = aa.RE_PROFILE_CAP.search(line)
+ self.assertFalse(result, 'Found unexpected capability rule in "%s"' % line)
+
if __name__ == '__main__':
verbosity = 2
@@ -119,6 +163,7 @@ if __name__ == '__main__':
test_suite = unittest.TestSuite()
test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexHasComma))
test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexSplitComment))
+ test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexCapability))
result = unittest.TextTestRunner(verbosity=verbosity).run(test_suite)
if not result.wasSuccessful():
exit(1)
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140320/950d7332/attachment.pgp>
More information about the AppArmor
mailing list