[apparmor] [patch] NetworkRule: allow TYPE without DOMAIN

Christian Boltz apparmor at cboltz.de
Thu Jun 25 20:41:15 UTC 2015 

Hello,

thanks to a bug in the apparmor.d manpage, NetworkRule rejected rules
that contained only TYPE (for example "network stream,"). A bugreport on
IRC and some testing with the parser showed that this is actually
allowed, so NetworkRule should of course allow it.

Note: not strip()ing rule_details is the easiest way to ensure we have
whitespace in front of the TYPE in TYPE-only rules, which is needed by
the RE_NETWORK_DETAILS regex.

Also adjust the tests to the correct behaviour.



[ 57-adjust-NetworkRule-to-fixed-manpage.diff ]

=== modified file utils/apparmor/rule/network.py
--- utils/apparmor/rule/network.py      2015-06-06 14:53:16.868029000 +0200
+++ utils/apparmor/rule/network.py      2015-06-25 22:29:49.664997088 +0200
@@ -39,12 +39,10 @@
 RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')'
 
 RE_NETWORK_DETAILS  = re.compile(
-    '^\s*(' +
-        '(?P<domain>' + RE_NETWORK_DOMAIN + ')' + # domain and ...
-            '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' + # ... optional type or protocol
-        '|' + # or
-        '(?P<protocol>' + RE_NETWORK_PROTOCOL + ')' + # protocol only
-    ')\s*$')
+    '^\s*' +
+    '(?P<domain>' + RE_NETWORK_DOMAIN + ')?' +  # optional domain
+    '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' +  # optional type or protocol
+    '\s*$')
 
 
 class NetworkRule(BaseRule):
@@ -60,10 +58,6 @@
     def __init__(self, domain, type_or_protocol, audit=False, deny=False, allow_keyword=False,
                  comment='', log_event=None):
 
-        '''
-           NETWORK RULE = 'network' [ [ DOMAIN [ TYPE | PROTOCOL ] ] | [ PROTOCOL ] ] ','
-        '''
-
         super(NetworkRule, self).__init__(audit=audit, deny=deny,
                                              allow_keyword=allow_keyword,
                                              comment=comment,
@@ -89,8 +83,6 @@
             if type_or_protocol in network_protocol_keywords:
                 self.type_or_protocol = type_or_protocol
             elif type_or_protocol in network_type_keywords:
-                if self.all_domains:
-                    raise AppArmorException('Passing type %s to NetworkRule without specifying a domain keyword is not allowed' % type_or_protocol)
                 self.type_or_protocol = type_or_protocol
             else:
                 raise AppArmorBug('Passed unknown type_or_protocol to NetworkRule: %s' % type_or_protocol)
@@ -113,7 +105,7 @@
 
         rule_details = ''
         if matches.group('details'):
-            rule_details = matches.group('details').strip()
+            rule_details = matches.group('details')
 
         if rule_details:
             details = RE_NETWORK_DETAILS.search(rule_details)
@@ -127,8 +119,6 @@
 
             if details.group('type_or_protocol'):
                 type_or_protocol = details.group('type_or_protocol')
-            elif details.group('protocol'):
-                type_or_protocol = details.group('protocol')
             else:
                 type_or_protocol = NetworkRule.ALL
         else:
=== modified file utils/test/test-network.py
--- utils/test/test-network.py  2015-06-06 14:53:16.868029000 +0200
+++ utils/test/test-network.py  2015-06-25 22:29:15.648987500 +0200
@@ -48,6 +48,7 @@
         ('network inet stream,'                 , exp(False, False, False, ''           , 'inet',   False, 'stream' , False)),
         ('deny network inet stream, # comment'  , exp(False, False, True , ' # comment' , 'inet',   False, 'stream' , False)),
         ('audit allow network tcp,'             , exp(True , True , False, ''           , None  ,   True , 'tcp'    , False)),
+        ('network stream,'                      , exp(False, False, False, ''           , None  ,   True , 'stream' , False)),
     ]
 
     def _run_test(self, rawrule, expected):
@@ -58,7 +59,6 @@
 
 class NetworkTestParseInvalid(NetworkTest):
     tests = [
-        ('network stream,'                  , AppArmorException), # domain missing
         ('network foo,'                     , AppArmorException),
         ('network foo bar,'                 , AppArmorException),
         ('network foo tcp,'                 , AppArmorException),
@@ -118,6 +118,7 @@
         (NetworkRule('inet', NetworkRule.ALL)           , exp(False, False, False, ''           , 'inet',   False, None     , True )),
         (NetworkRule(NetworkRule.ALL, NetworkRule.ALL)  , exp(False, False, False, ''           , None  ,   True , None     , True )),
         (NetworkRule(NetworkRule.ALL, 'tcp')            , exp(False, False, False, ''           , None  ,   True , 'tcp'    , False)),
+        (NetworkRule(NetworkRule.ALL, 'stream')         , exp(False, False, False, ''           , None  ,   True , 'stream' , False)),
     ]
 
     def _run_test(self, obj, expected):
@@ -137,7 +138,6 @@
         ([None  , 'tcp'            ]    , AppArmorBug), # wrong type for domain
         (['inet', dict()           ]    , AppArmorBug), # wrong type for type_or_protocol
         (['inet', None             ]    , AppArmorBug), # wrong type for type_or_protocol
-        ([NetworkRule.ALL, 'stream']    , AppArmorException), # stream requires a domain
     ]
 
     def _run_test(self, params, expected):


Regards,

Christian Boltz
-- 
[von KDE 3.0.0 auf 3.0.1 updaten]
> Wenn KDE 3.0.0 noch immer startet wurde 3.0.1 nicht richtig
> installiert würde ich mal behaupten :)
newer version, bla bla. Aber eben nicht bei "base"
naja. Ich habe nun gemerkt, daß es garnicht installiert wurde. [...]
Ich DAKU (dümmster anzunehmender KDE Updater)
[> Matthias Hentges und Stefan Onken in suse-linux]

More information about the AppArmor mailing list