[apparmor] [patch] Add a missing check in rule class is_covered()
Christian Boltz
apparmor at cboltz.de
Sat Apr 11 20:34:54 UTC 2015
Hello,
"capability foo".is_covered("deny capability foo") should return False
even if check_allow_deny is False.
Also add some tests with check_allow_deny=False.
If we merge the rule classes into 2.9, this patch should also go in.
[ 40-ruleclass-is_covered-check-deny.diff ]
=== modified file utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py 2015-03-03 20:10:40.064589000 +0100
+++ utils/apparmor/rule/__init__.py 2015-04-11 22:15:23.903854719 +0200
@@ -77,6 +77,9 @@
if check_allow_deny and self.deny != other_rule.deny:
return False
+ if other_rule.deny and not self.deny:
+ return False
+
if check_audit and other_rule.audit != self.audit:
return False
=== modified file utils/test/test-capability.py
--- utils/test/test-capability.py 2015-04-03 17:41:51.355126519 +0200
+++ utils/test/test-capability.py 2015-04-11 22:20:22.363355521 +0200
@@ -579,6 +579,12 @@
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit deny capability chgrp,')))
def test_ruleset_is_covered_21(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chgrp,')))
+ def test_ruleset_is_covered_22(self):
+ self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
+ def test_ruleset_is_covered_23(self):
+ self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
+ def test_ruleset_is_covered_24(self):
+ self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
# XXX - disabling these until we decide whether or not checking whether
# a log is covered by rules should be a separate entry point, possibly
Regards,
Christian Boltz
--
weitere Indizien deuten ja auf KMail2:
- [...]
- KMail2 ist immer kaputt, warum nicht auch hier? ;)
[Roman Fietze in opensuse-de]
More information about the AppArmor
mailing list