[apparmor] [patch] [6/9] Use DbusRule and DbusRuleset
Christian Boltz
apparmor at cboltz.de
Sun Dec 27 15:10:04 UTC 2015
Hello,
this patch changes aa.py to use DbusRule and DbusRuleset in profile_storage,
parse_profile_data() and write_dbus. This also means we can drop the now
unused parse_dbus_rule() and write_dbus_rules() functions.
Raw_DBUS_Rule in rules.py is now also unused and can be dropped.
Also shorten the list of known-failing tests in
test-parser-simple-tests.py. Even if the list of removals doesn't look
too long, the generated_dbus/* removals mean 1989 tests now cause the
expected failures.
OTOH, I had to add 4 tests to the known-failing list:
- 3 tests with a "wrong" order of the conditionals which the parser
accepts (which is slightly surprising, because usually we enforce the
order of rule parts)
- one test fails because the path in the path= conditional doesn't start
with / or a variable. Instead, it starts with an alternation, which
wouldn't be allowed in file rules.
Those 4 failures need more investigation, but shouldn't block this
patchset.
Finally, adjust test-regex_matches.py to import RE_PROFILE_DBUS from
apparmor.regex instead of apparmor.aa.
[ 57-use-DbusRule.diff ]
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-12-26 16:23:33.747458693 +0100
+++ utils/apparmor/aa.py 2015-12-26 16:21:15.120440317 +0100
@@ -46,7 +46,7 @@
RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
RE_PROFILE_CHANGE_HAT,
- RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
+ RE_PROFILE_HAT_DEF, RE_PROFILE_MOUNT,
RE_PROFILE_PIVOT_ROOT,
RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
strip_quotes, parse_profile_start_line, re_match_include )
@@ -55,6 +55,7 @@
from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
+from apparmor.rule.dbus import DbusRuleset, DbusRule
from apparmor.rule.network import NetworkRuleset, NetworkRule
from apparmor.rule.ptrace import PtraceRuleset, PtraceRule
from apparmor.rule.rlimit import RlimitRuleset, RlimitRule
@@ -464,6 +465,7 @@
profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby}
profile['capability'] = CapabilityRuleset()
+ profile['dbus'] = DbusRuleset()
profile['change_profile'] = ChangeProfileRuleset()
profile['network'] = NetworkRuleset()
profile['ptrace'] = PtraceRuleset()
@@ -471,7 +473,6 @@
profile['signal'] = SignalRuleset()
profile['allow']['path'] = hasher()
- profile['allow']['dbus'] = list()
profile['allow']['mount'] = list()
profile['allow']['pivot_root'] = list()
@@ -2908,28 +2909,11 @@
profile_data[profile][hat]['network'].add(NetworkRule.parse(line))
- elif RE_PROFILE_DBUS.search(line):
- matches = RE_PROFILE_DBUS.search(line).groups()
-
+ elif DbusRule.match(line):
if not profile:
raise AppArmorException(_('Syntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)s') % {'file': file, 'line': lineno + 1 })
- audit = False
- if matches[0]:
- audit = True
- allow = 'allow'
- if matches[1] and matches[1].strip() == 'deny':
- allow = 'deny'
- dbus = matches[2]
-
- #parse_dbus_rule(profile_data[profile], dbus, audit, allow)
- dbus_rule = parse_dbus_rule(dbus)
- dbus_rule.audit = audit
- dbus_rule.deny = (allow == 'deny')
-
- dbus_rules = profile_data[profile][hat][allow].get('dbus', list())
- dbus_rules.append(dbus_rule)
- profile_data[profile][hat][allow]['dbus'] = dbus_rules
+ profile_data[profile][hat]['dbus'].add(DbusRule.parse(line))
elif RE_PROFILE_MOUNT.search(line):
matches = RE_PROFILE_MOUNT.search(line).groups()
@@ -3092,18 +3076,6 @@
# RE_DBUS_ENTRY = re.compile('^dbus\s*()?,\s*$')
# use stuff like '(?P<action>(send|write|w|receive|read|r|rw))'
-def parse_dbus_rule(line):
- # XXX Do real parsing here
- return aarules.Raw_DBUS_Rule(line)
-
- #matches = RE_DBUS_ENTRY.search(line).groups()
- #if len(matches) == 1:
- # XXX warn?
- # matched nothing
- # print('no matches')
- # return aarules.DBUS_Rule()
- #print(line)
-
def parse_mount_rule(line):
# XXX Do real parsing here
return aarules.Raw_Mount_Rule(line)
@@ -3276,22 +3248,10 @@
data = prof_data['network'].get_clean(depth)
return data
-def write_dbus_rules(prof_data, depth, allow):
- pre = ' ' * depth
- data = []
-
- # no dbus rules, so return
- if not prof_data[allow].get('dbus', False):
- return data
-
- for dbus_rule in prof_data[allow]['dbus']:
- data.append('%s%s' % (pre, dbus_rule.serialize()))
- data.append('')
- return data
-
def write_dbus(prof_data, depth):
- data = write_dbus_rules(prof_data, depth, 'deny')
- data += write_dbus_rules(prof_data, depth, 'allow')
+ data = []
+ if prof_data.get('dbus', False):
+ data = prof_data['dbus'].get_clean(depth)
return data
def write_mount_rules(prof_data, depth, allow):
=== modified file ./utils/apparmor/rules.py
--- utils/apparmor/rules.py 2015-12-26 16:23:33.747458693 +0100
+++ utils/apparmor/rules.py 2015-12-26 15:11:59.149032447 +0100
@@ -29,9 +29,6 @@
print('%sraw rule = %s' % (tabs, self.rule))
-class Raw_DBUS_Rule(_Raw_Rule):
- pass
-
class Raw_Mount_Rule(_Raw_Rule):
pass
=== modified file ./utils/test/test-parser-simple-tests.py
--- utils/test/test-parser-simple-tests.py 2015-12-26 16:23:33.751458665 +0100
+++ utils/test/test-parser-simple-tests.py 2015-12-26 14:26:30.415290388 +0100
@@ -25,15 +25,6 @@
# XXX tests listed here will be *** SKIPPED *** XXX
skip_startswith = (
- # lots of invalid dbus rules (the tools currently just store them without any parsing)
- 'generated_dbus/bad-perms-',
- 'generated_dbus/bad-formatting-',
- 'generated_dbus/duplicated-conditionals-',
- 'generated_dbus/eavesdrop-incompat-',
- 'generated_dbus/message-incompat-',
- 'generated_dbus/pairing-unsupported-',
- 'generated_dbus/service-incompat-',
-
# the tools don't check for conflicting x permissions (yet?)
'generated_x/conflict-',
'generated_x/ambiguous-',
@@ -56,14 +47,6 @@
'capability/bad_3.sd',
'capability/bad_4.sd',
'change_hat/bad_parsing.sd',
- 'dbus/bad_bind_1.sd',
- 'dbus/bad_bind_2.sd',
- 'dbus/bad_eavesdrop_1.sd',
- 'dbus/bad_modifier_1.sd',
- 'dbus/bad_modifier_2.sd',
- 'dbus/bad_modifier_3.sd',
- 'dbus/bad_modifier_4.sd',
- 'dbus/bad_peer_1.sd',
'dbus/bad_regex_01.sd',
'dbus/bad_regex_02.sd',
'dbus/bad_regex_03.sd',
@@ -173,8 +156,6 @@
'vars/vars_dbus_bad_01.sd',
'vars/vars_dbus_bad_02.sd',
'vars/vars_dbus_bad_03.sd',
- 'vars/vars_dbus_bad_04.sd',
- 'vars/vars_dbus_bad_05.sd',
'vars/vars_dbus_bad_06.sd',
'vars/vars_dbus_bad_07.sd',
'vars/vars_file_evaluation_7.sd',
@@ -289,7 +270,13 @@
'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx
'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux
+ # dbus regex mismatch
+ 'vars/vars_dbus_4.sd',
+ 'vars/vars_dbus_9.sd',
+ 'vars/vars_dbus_2.sd',
+
# misc
+ 'vars/vars_dbus_8.sd', # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}}
'vars/vars_simple_assignment_12.sd', # Redefining existing variable @{BAR} ('\' not handled)
'rewrite/alias_good_5.sd', # Values added to a non-existing variable @{FOO} (defined in include, lp:1331856)
'bare_include_tests/ok_2.sd', # two #include<...> in one line
=== modified file ./utils/test/test-regex_matches.py
--- utils/test/test-regex_matches.py 2015-12-26 16:23:33.751458665 +0100
+++ utils/test/test-regex_matches.py 2015-12-26 14:28:33.910453604 +0100
@@ -14,7 +14,8 @@
from common_test import AATest, setup_all_loops
from apparmor.common import AppArmorBug, AppArmorException
-from apparmor.regex import strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include, RE_PROFILE_START, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL
+from apparmor.regex import ( strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include,
+ RE_PROFILE_START, RE_PROFILE_DBUS, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL )
class AARegexTest(AATest):
@@ -256,7 +257,7 @@
'''Tests for RE_PROFILE_DBUS'''
def AASetup(self):
- self.regex = aa.RE_PROFILE_DBUS
+ self.regex = RE_PROFILE_DBUS
tests = [
(' dbus,', (None, None, 'dbus,', None, None)),
Regards,
Christian Boltz
--
[bugzilla is] being as co-operative as a 2 legged donkey
pulling a 10 ton tractor under attack by an army of bees
[Richard Brown in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151227/392af562/attachment.pgp>
More information about the AppArmor
mailing list