[apparmor] [patch] Add a missing check in rule class is_covered()

Christian Boltz apparmor at cboltz.de
Sat Apr 11 20:34:54 UTC 2015


Hello,

"capability foo".is_covered("deny capability foo") should return False
even if check_allow_deny is False.

Also add some tests with check_allow_deny=False.


If we merge the rule classes into 2.9, this patch should also go in.


[ 40-ruleclass-is_covered-check-deny.diff ]

=== modified file utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py     2015-03-03 20:10:40.064589000 +0100
+++ utils/apparmor/rule/__init__.py     2015-04-11 22:15:23.903854719 +0200
@@ -77,6 +77,9 @@
         if check_allow_deny and self.deny != other_rule.deny:
             return False
 
+        if other_rule.deny and not self.deny:
+            return False
+
         if check_audit and other_rule.audit != self.audit:
             return False
 
=== modified file utils/test/test-capability.py
--- utils/test/test-capability.py       2015-04-03 17:41:51.355126519 +0200
+++ utils/test/test-capability.py       2015-04-11 22:20:22.363355521 +0200
@@ -579,6 +579,12 @@
         self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit deny capability chgrp,')))
     def test_ruleset_is_covered_21(self):
         self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chgrp,')))
+    def test_ruleset_is_covered_22(self):
+        self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
+    def test_ruleset_is_covered_23(self):
+        self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
+    def test_ruleset_is_covered_24(self):
+        self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
 
 # XXX - disabling these until we decide whether or not checking whether
 # a log is covered by rules should be a separate entry point, possibly



Regards,

Christian Boltz
-- 
weitere Indizien deuten ja auf KMail2:
- [...]
- KMail2 ist immer kaputt, warum nicht auch hier? ;)
[Roman Fietze in opensuse-de]




More information about the AppArmor mailing list