[apparmor] [patch] Use list check in PtraceRule and SignalRule is_covered_localvars()
Christian Boltz
apparmor at cboltz.de
Mon Dec 21 21:05:29 UTC 2015
Hello,
PtraceRule access and SignalRule access and signal can contain more than
one value. Therefore adjust is_covered_localvars() in both to use the
list (subset) instead of the plain (exactly equal) check.
Also add a testcase for each to ensure the list/subset check works as
expected.
[ 41-ptrace-signal-use-list-in-is_covered.diff ]
=== modified file ./utils/apparmor/rule/ptrace.py
--- utils/apparmor/rule/ptrace.py 2015-12-21 00:42:28.521222690 +0100
+++ utils/apparmor/rule/ptrace.py 2015-12-21 00:41:31.129584660 +0100
@@ -135,7 +135,7 @@
def is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
- if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
+ if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
return False
if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
=== modified file ./utils/apparmor/rule/signal.py
--- utils/apparmor/rule/signal.py 2015-12-21 00:42:28.521222690 +0100
+++ utils/apparmor/rule/signal.py 2015-12-21 00:41:31.133584635 +0100
@@ -182,10 +182,10 @@
def is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
- if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
+ if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'):
return False
- if not self._is_covered_plain(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'):
+ if not self._is_covered_list(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'):
return False
if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'):
=== modified file ./utils/test/test-ptrace.py
--- utils/test/test-ptrace.py 2015-12-21 00:13:57.195799666 +0100
+++ utils/test/test-ptrace.py 2015-12-21 16:40:16.584001925 +0100
@@ -380,6 +380,37 @@
('deny ptrace read,' , [ False , False , False , False ]),
]
+class PtraceCoveredTest_08(PtraceCoveredTest):
+ rule = 'ptrace (trace, tracedby) peer=/foo/*,'
+
+ tests = [
+ # rule equal strict equal covered covered exact
+ ('ptrace,' , [ False , False , False , False ]),
+ ('ptrace trace,' , [ False , False , False , False ]),
+ ('ptrace (tracedby, trace),' , [ False , False , False , False ]),
+ ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]),
+ ('ptrace (tracedby trace) peer=/foo/bar,',[ False , False , True , True ]),
+ ('ptrace (tracedby, trace) peer=/foo/*,', [ True , False , True , True ]),
+ ('ptrace tracedby peer=/foo/bar,' , [ False , False , True , True ]),
+ ('ptrace trace peer=/foo/*,' , [ False , False , True , True ]),
+ ('ptrace trace peer=/**,' , [ False , False , False , False ]),
+ ('ptrace trace peer=/what/*,' , [ False , False , False , False ]),
+ ('ptrace peer=/foo/bar,' , [ False , False , False , False ]),
+ ('ptrace trace, # comment' , [ False , False , False , False ]),
+ ('allow ptrace trace,' , [ False , False , False , False ]),
+ ('allow ptrace trace peer=/foo/bar,' , [ False , False , True , True ]),
+ ('ptrace trace,' , [ False , False , False , False ]),
+ ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]),
+ ('ptrace trace peer=/what/ever,' , [ False , False , False , False ]),
+ ('audit ptrace trace peer=/foo/bar,' , [ False , False , False , False ]),
+ ('audit ptrace,' , [ False , False , False , False ]),
+ ('ptrace tracedby,' , [ False , False , False , False ]),
+ ('audit deny ptrace trace,' , [ False , False , False , False ]),
+ ('deny ptrace trace,' , [ False , False , False , False ]),
+ ]
+
+
+
class PtraceCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_1(self):
obj = PtraceRule.parse('ptrace read peer=/foo,')
=== modified file ./utils/test/test-signal.py
--- utils/test/test-signal.py 2015-12-12 13:34:40.549997194 +0100
+++ utils/test/test-signal.py 2015-12-20 23:47:40.041531733 +0100
@@ -433,6 +433,41 @@
('deny signal send,' , [ False , False , False , False ]),
]
+class SignalCoveredTest_09(SignalCoveredTest):
+ rule = 'signal (send, receive) set=(int, quit),'
+
+ tests = [
+ # rule equal strict equal covered covered exact
+ ('signal,' , [ False , False , False , False ]),
+ ('signal send,' , [ False , False , False , False ]),
+ ('signal send set=int,' , [ False , False , True , True ]),
+ ('signal receive set=quit,' , [ False , False , True , True ]),
+ ('signal (receive,send) set=int,' , [ False , False , True , True ]),
+ ('signal (receive,send) set=(int quit),',[True , False , True , True ]),
+ ('signal send set=(quit int),' , [ False , False , True , True ]),
+ ('signal send peer=/foo/bar,' , [ False , False , False , False ]),
+ ('signal send peer=/foo/*,' , [ False , False , False , False ]),
+ ('signal send peer=/**,' , [ False , False , False , False ]),
+ ('signal send peer=/what/*,' , [ False , False , False , False ]),
+ ('signal peer=/foo/bar,' , [ False , False , False , False ]),
+ ('signal send, # comment' , [ False , False , False , False ]),
+ ('allow signal send,' , [ False , False , False , False ]),
+ ('allow signal send peer=/foo/bar,' , [ False , False , False , False ]),
+ ('signal send,' , [ False , False , False , False ]),
+ ('signal send peer=/foo/bar,' , [ False , False , False , False ]),
+ ('signal send peer=/what/ever,' , [ False , False , False , False ]),
+ ('signal send set=quit,' , [ False , False , True , True ]),
+ ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]),
+ ('audit signal send peer=/foo/bar,' , [ False , False , False , False ]),
+ ('audit signal,' , [ False , False , False , False ]),
+ ('signal receive,' , [ False , False , False , False ]),
+ ('signal set=int,' , [ False , False , False , False ]),
+ ('audit deny signal send,' , [ False , False , False , False ]),
+ ('deny signal send,' , [ False , False , False , False ]),
+ ]
+
+
+
class SignalCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_1(self):
obj = SignalRule.parse('signal send peer=/foo,')
Regards,
Christian Boltz
--
ist eine recht interessante rechnung:
3,5kg linux + bücher für €79,90
180g windows xp home ohne bücher €229,-
kennt jemand den feinunzenpreis von gold? er müßte kanpp unter
dem von windows liegen .... [Wilhelm Feichter in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151221/ae55929a/attachment.pgp>
More information about the AppArmor
mailing list