[apparmor] [PATCH v2] utils: Basic support for bare capability rules
Tyler Hicks
tyhicks at canonical.com
Thu Mar 20 19:13:28 UTC 2014
On 2014-03-20 11:07:30, Steve Beattie wrote:
> On Thu, Mar 20, 2014 at 12:30:56PM -0500, Tyler Hicks wrote:
> > Bug: https://bugs.launchpad.net/bugs/1294819
> >
> > This patch as minimal support for bare capability rules ("capability,").
> > It prevents aa.py from emitting a traceback when encountering such a
> > rule.
> >
> > It only adds the ability to parse and write the bare rule. It doesn't
> > attempt to be clever when deleting duplicate rules, such as realizing
> > that "capability audit_control," can be deleted if "capability," is also
> > present.
> >
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > Acked-by: Steve Beattie <steve at nxnw.org>
> > ---
> >
> > * Changes since v1:
> > - Added a todo for deleting duplicates when a bare capability rule is
> > present
> > - Changed the RE_PROFILE_CAP to enforce whitespace between the
> > capability rule identifier and the capability name.
>
> Ah yes, I'd noticed that when I first reviewed the patch, but forgot
> about it while fighting with other external issues while testing your
> patch.
>
> > - Use strip() on the capability name string
> > - Made adjustments to serialize_profile_from_old_profile() in order to
> > handle the new RE_PROFILE_CAP regex
>
> Right, this was the function I was confused about when adding dbus
> rules.
>
> Anyway, re-iterating my ack for this patch. Also, I added a token few
> testcases (if we come up with more, we can restructure this a bit):
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
These all look good to me. Thanks!
Acked-by: Tyler Hicks <tyhicks at canonical.com>
> ---
> utils/test/test-regex_matches.py | 45 +++++++++++++++++++++++++++++++++++++++
> 1 file changed, 45 insertions(+)
>
> Index: b/utils/test/test-regex_matches.py
> ===================================================================
> --- a/utils/test/test-regex_matches.py
> +++ b/utils/test/test-regex_matches.py
> @@ -110,6 +110,50 @@ def setup_split_comment_testcases():
> stub_test.__doc__ = "test '%s'" % (test_string)
> setattr(AARegexSplitComment, 'test_split_comment_%d' % (i), stub_test)
>
> +class AARegexCapability(unittest.TestCase):
> + '''Tests for RE_PROFILE_CAP'''
> +
> + def test_simple_capability_01(self):
> + '''test ' capability net_raw,' '''
> +
> + line = ' capability net_raw,'
> + result = aa.RE_PROFILE_CAP.search(line)
> + self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> + cap = result.groups()[2].strip()
> + self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
> + % ('net_raw', cap))
> +
> + def test_simple_capability_02(self):
> + '''test ' capability net_raw , ' '''
> +
> + line = 'capability net_raw , '
> + result = aa.RE_PROFILE_CAP.search(line)
> + self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> + cap = result.groups()[2].strip()
> + self.assertEqual(cap, 'net_raw', 'Expected capability "%s", got "%s"'
> + % ('net_raw', cap))
> +
> + def test_capability_all_01(self):
> + '''test ' capability,' '''
> +
> + line = ' capability,'
> + result = aa.RE_PROFILE_CAP.search(line)
> + self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> +
> + def test_capability_all_02(self):
> + '''test ' capability , ' '''
> +
> + line = ' capability , '
> + result = aa.RE_PROFILE_CAP.search(line)
> + self.assertTrue(result, 'Couldn\'t find capability rule in "%s"' % line)
> +
> + def test_simple_bad_capability_01(self):
> + '''test ' capabilitynet_raw,' '''
> +
> + line = ' capabilitynet_raw,'
> + result = aa.RE_PROFILE_CAP.search(line)
> + self.assertFalse(result, 'Found unexpected capability rule in "%s"' % line)
> +
> if __name__ == '__main__':
> verbosity = 2
>
> @@ -119,6 +163,7 @@ if __name__ == '__main__':
> test_suite = unittest.TestSuite()
> test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexHasComma))
> test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexSplitComment))
> + test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexCapability))
> result = unittest.TextTestRunner(verbosity=verbosity).run(test_suite)
> if not result.wasSuccessful():
> exit(1)
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140320/92e4d780/attachment-0001.pgp>
More information about the AppArmor
mailing list