[apparmor] [PATCH v2] utils: Basic support for bare capability rules

Tyler Hicks tyhicks at canonical.com
Thu Mar 20 19:13:28 UTC 2014 

On 2014-03-20 11:07:30, Steve Beattie wrote:
> On Thu, Mar 20, 2014 at 12:30:56PM -0500, Tyler Hicks wrote:
> > Bug: https://bugs.launchpad.net/bugs/1294819
> > 
> > This patch as minimal support for bare capability rules ("capability,").
> > It prevents aa.py from emitting a traceback when encountering such a
> > rule.
> > 
> > It only adds the ability to parse and write the bare rule. It doesn't
> > attempt to be clever when deleting duplicate rules, such as realizing
> > that "capability audit_control," can be deleted if "capability," is also
> > present.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > Acked-by: Steve Beattie <steve at nxnw.org>
> > ---
> > 
> > * Changes since v1:
> >   - Added a todo for deleting duplicates when a bare capability rule is
> >     present
> >   - Changed the RE_PROFILE_CAP to enforce whitespace between the
> >     capability rule identifier and the capability name.
> 
> Ah yes, I'd noticed that when I first reviewed the patch, but forgot
> about it while fighting with other external issues while testing your
> patch.
> 
> >   - Use strip() on the capability name string
> >   - Made adjustments to serialize_profile_from_old_profile() in order to
> >     handle the new RE_PROFILE_CAP regex
> 
> Right, this was the function I was confused about when adding dbus
> rules.
> 
> Anyway, re-iterating my ack for this patch. Also, I added a token few
> testcases (if we come up with more, we can restructure this a bit):
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

These all look good to me. Thanks!

Acked-by: Tyler Hicks <tyhicks at canonical.com>

> ---
>  utils/test/test-regex_matches.py |   45 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 45 insertions(+)
> 
> Index: b/utils/test/test-regex_matches.py
> ===================================================================
> --- a/utils/test/test-regex_matches.py
> +++ b/utils/test/test-regex_matches.py
> @@ -110,6 +110,50 @@ def setup_split_comment_testcases():
>          stub_test.__doc__ = "test '%s'" % (test_string)
>          setattr(AARegexSplitComment, 'test_split_comment_%d' % (i), stub_test)
>  
> +class AARegexCapability(unittest.TestCase):
> +    '''Tests for RE_PROFILE_CAP'''
> +
> +    def test_simple_capability_01(self):
> +        '''test '   capability net_raw,' '''
> +
> +        line = '   capability net_raw,'
> +        result = aa.RE_PROFILE_CAP.search(line)
> +        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> +        cap = result.groups()[2].strip()
> +        self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
> +                         % ('net_raw', cap))
> +
> +    def test_simple_capability_02(self):
> +        '''test '   capability net_raw   ,  ' '''
> +
> +        line = 'capability     net_raw   ,  '
> +        result = aa.RE_PROFILE_CAP.search(line)
> +        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> +        cap = result.groups()[2].strip()
> +        self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
> +                         % ('net_raw', cap))
> +
> +    def test_capability_all_01(self):
> +        '''test '   capability,' '''
> +
> +        line = '   capability,'
> +        result = aa.RE_PROFILE_CAP.search(line)
> +        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> +
> +    def test_capability_all_02(self):
> +        '''test '   capability   ,  ' '''
> +
> +        line = '   capability   ,  '
> +        result = aa.RE_PROFILE_CAP.search(line)
> +        self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> +
> +    def test_simple_bad_capability_01(self):
> +        '''test '   capabilitynet_raw,' '''
> +
> +        line = '   capabilitynet_raw,'
> +        result = aa.RE_PROFILE_CAP.search(line)
> +        self.assertFalse(result, 'Found unexpected capability rule in "%s"' % line)
> +
>  if __name__ == '__main__':
>      verbosity = 2
>  
> @@ -119,6 +163,7 @@ if __name__ == '__main__':
>      test_suite = unittest.TestSuite()
>      test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexHasComma))
>      test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexSplitComment))
> +    test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexCapability))
>      result = unittest.TextTestRunner(verbosity=verbosity).run(test_suite)
>      if not result.wasSuccessful():
>          exit(1)
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140320/92e4d780/attachment-0001.pgp>

More information about the AppArmor mailing list