[apparmor] [PATCH] utils: Basic support for file prefix in path rules
Steve Beattie
steve at nxnw.org
Thu Mar 27 07:51:20 UTC 2014
On Wed, Mar 26, 2014 at 09:02:47PM -0500, Tyler Hicks wrote:
> Bug: https://bugs.launchpad.net/bugs/1295346
>
> Add the ability to read and write path rules containing the file prefix.
> This also includes bare "file," rules.
>
> The ALL global is updated to include a preceding NUL char to eliminate
> possibilities of a real file path colliding with the ALL global.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Nack.
Unfortunately, the RE_PROFILE_PATH_ENTRY end up matching other bareword
keywords, like so:
$ sudo sh -c 'PYTHONPATH=. python3 ./aa-enforce ~/tmp/true '
Traceback (most recent call last):
File "./aa-enforce", line 30, in <module>
tool.cmd_enforce()
File "/home/steve/bzr/apparmor/utils/apparmor/tools.py", line 153, in cmd_enforce
apparmor.read_profiles()
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 2564, in read_profiles
read_profile(profile_dir + '/' + file, True)
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 2590, in read_profile
profile_data = parse_profile_data(data, file, 0)
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 2944, in parse_profile_data
load_include(include_name)
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 4283, in load_include
incdata = parse_profile_data(data, incfile, True)
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 2944, in parse_profile_data
load_include(include_name)
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 4283, in load_include
incdata = parse_profile_data(data, incfile, True)
File "/home/steve/bzr/apparmor/utils/apparmor/aa.py", line 2888, in parse_profile_data
raise AppArmorException(_('Syntax Error: Invalid path entry found in file: %s line: %s') % (file, lineno + 1))
apparmor.common.AppArmorException: 'Syntax Error: Invalid path entry found in file: abstractions/ubuntu-helpers line: 42'
Line 42 of abstractions/ubuntu-helpers contains simply:
dbus,
Also unfortunate, the added test cases were not being exercised and
were pointing at the wrong regular expression. (Yes, I'm aware of the
difficulty of running the tests on ubuntu trusty right now due to some
python difficulties.)
I've attached the updated patch with the testcase issues fixed + plus
an additional test case -- and yes, test_simple_bad_file_01() fails. The
following is the diff between the two versions:
diff -u b/utils/test/test-regex_matches.py b/utils/test/test-regex_matches.py
--- b/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@@ -164,7 +164,7 @@
'''test ' /tmp/foo r,' '''
line = ' /tmp/foo r,'
- result = aa.RE_PROFILE_CAP.search(line)
+ result = aa.RE_PROFILE_PATH_ENTRY.search(line)
self.assertTrue(result, 'Couldn\'t find file rule in "%s"' % line)
mode = result.groups()[5].strip()
self.assertEqual(mode, 'r', 'Expected mode "r", got "%s"' % (mode))
@@ -173,7 +173,7 @@
'''test ' audit /tmp/foo rw,' '''
line = ' audit /tmp/foo rw,'
- result = aa.RE_PROFILE_CAP.search(line)
+ result = aa.RE_PROFILE_PATH_ENTRY.search(line)
self.assertTrue(result, 'Couldn\'t find file rule in "%s"' % line)
audit = result.groups()[0].strip()
self.assertEqual(audit, 'audit', 'Couldn\t find audit modifier')
@@ -184,7 +184,7 @@
'''test ' audit deny /tmp/foo rw,' '''
line = ' audit deny /tmp/foo rw,'
- result = aa.RE_PROFILE_CAP.search(line)
+ result = aa.RE_PROFILE_PATH_ENTRY.search(line)
self.assertTrue(result, 'Couldn\'t find file rule in "%s"' % line)
audit = result.groups()[0].strip()
self.assertEqual(audit, 'audit', 'Couldn\t find audit modifier')
@@ -197,7 +197,7 @@
'''test ' file /tmp/foo rw,' '''
line = ' file /tmp/foo rw,'
- result = aa.RE_PROFILE_CAP.search(line)
+ result = aa.RE_PROFILE_PATH_ENTRY.search(line)
self.assertTrue(result, 'Couldn\'t find file rule in "%s"' % line)
file_prefix = result.groups()[3].strip()
self.assertEqual(file_prefix, 'file', 'Couldn\t find file prefix')
@@ -207,14 +207,21 @@
def test_simple_file_02(self):
'''test ' file,' '''
- line = ' file /tmp/foo rw,'
- result = aa.RE_PROFILE_CAP.search(line)
+ line = ' file,'
+ result = aa.RE_PROFILE_PATH_ENTRY.search(line)
self.assertTrue(result, 'Couldn\'t find file rule in "%s"' % line)
file_prefix = result.groups()[3].strip()
self.assertEqual(file_prefix, 'file', 'Couldn\t find file prefix')
mode = result.groups()[5]
self.assertEqual(mode, None, 'Unexpected mode, got "%s"' % (mode))
+ def test_simple_bad_file_01(self):
+ '''test ' dbus,' '''
+
+ line = ' dbus,'
+ result = aa.RE_PROFILE_PATH_ENTRY.search(line)
+ self.assertFalse(result, 'RE_PROFILE_PATH_ENTRY unexpectedly matched "%s"' % line)
+
if __name__ == '__main__':
verbosity = 2
@@ -225,6 +232,7 @@
test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexHasComma))
test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexSplitComment))
test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexCapability))
+ test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexPath))
result = unittest.TextTestRunner(verbosity=verbosity).run(test_suite)
if not result.wasSuccessful():
exit(1)
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tyhicks-utils_file_keyword.patch
Type: text/x-diff
Size: 12585 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140327/403e5dce/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140327/403e5dce/attachment-0001.pgp>
More information about the AppArmor
mailing list