[apparmor] [patch] Change SignalRule to use AARE instead of plain strings

Christian Boltz apparmor at cboltz.de
Sat Oct 24 14:50:04 UTC 2015


Hello,

$subject.

Also adjust test-signal for AARE (it needed a change in _compare_obj())
and enable the regex-based tests.


[ 16-signal-rule-use-aare.diff ]

=== modified file ./utils/apparmor/rule/signal.py
--- utils/apparmor/rule/signal.py       2015-10-23 14:57:14.735767822 +0200
+++ utils/apparmor/rule/signal.py       2015-10-24 16:43:35.297451192 +0200
@@ -14,6 +14,7 @@
 
 import re
 
+from apparmor.aare import AARE
 from apparmor.regex import RE_PROFILE_SIGNAL, RE_PROFILE_NAME
 from apparmor.common import AppArmorBug, AppArmorException
 from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, quote_if_needed
@@ -99,7 +99,7 @@
         elif type(peer) == str:
             if len(peer.strip()) == 0:
                 raise AppArmorBug('Passed empty peer to SignalRule: %s' % str(peer))
-            self.peer = peer  # XXX use AARE
+            self.peer = AARE(peer, False)
         else:
             raise AppArmorBug('Passed unknown object to SignalRule: %s' % str(peer))
 
@@ -184,7 +183,7 @@
         if self.all_peers:
             peer = ''
         elif self.peer:
-            peer = ' peer=%s' % quote_if_needed(self.peer)  # XXX use AARE
+            peer = ' peer=%s' % quote_if_needed(self.peer.regex)
         else:
             raise AppArmorBug('Empty signal in signal rule')
 
@@ -199,7 +198,7 @@
         if not other_rule.signal and not other_rule.all_signals:
             raise AppArmorBug('No signal specified in other signal rule')
 
-        if not other_rule.peer and not other_rule.all_peers:  # XXX use AARE
+        if not other_rule.peer and not other_rule.all_peers:
             raise AppArmorBug('No peer specified in other signal rule')
 
         if not self.all_accesss:
@@ -217,7 +216,7 @@
         if not self.all_peers:
             if other_rule.all_peers:
                 return False
-            if other_rule.peer != self.peer:  # XXX use AARE
+            if not self.peer.match(other_rule.peer.regex):
                 return False
 
         # still here? -> then it is covered
@@ -237,8 +236,10 @@
                 or self.all_signals != rule_obj.all_signals):
             return False
 
-        if (self.peer != rule_obj.peer # XXX switch to AARE
-                or self.all_peers != rule_obj.all_peers):
+        if self.all_peers != rule_obj.all_peers:
+            return False
+
+        if self.peer and (self.peer.regex != rule_obj.peer.regex):
             return False
 
         return True
@@ -257,7 +258,7 @@
         if self.all_peers:
             peer = _('ALL')
         else:
-            peer = self.peer  # XXX use AARE
+            peer = self.peer.regex
 
         return [
             _('Access mode'), access,
=== modified file ./utils/test/test-signal.py
--- utils/test/test-signal.py   2015-10-24 14:45:25.398154744 +0200
+++ utils/test/test-signal.py   2015-10-24 16:28:28.421271222 +0200
@@ -35,7 +35,10 @@
         self.assertEqual(expected.audit, obj.audit)
         self.assertEqual(expected.access, obj.access)
         self.assertEqual(expected.signal, obj.signal)
-        self.assertEqual(expected.peer, obj.peer)
+        if obj.peer:
+            self.assertEqual(expected.peer, obj.peer.regex)
+        else:
+            self.assertEqual(expected.peer, obj.peer)
         self.assertEqual(expected.all_accesss, obj.all_accesss)
         self.assertEqual(expected.all_signals, obj.all_signals)
         self.assertEqual(expected.all_peers, obj.all_peers)
@@ -386,8 +389,8 @@
         ('signal,'                            , [ False   , False         , False     , False     ]),
         ('signal send,'                       , [ False   , False         , False     , False     ]),
         ('signal send peer=/foo/bar,'         , [ True    , True          , True      , True      ]),
-       #('signal send peer=/foo/*,'           , [ False   , False         , True      , True      ]), # XXX
-       #('signal send peer=/**,'              , [ False   , False         , True      , True      ]), # XXX
+        ('signal send peer=/foo/*,'           , [ False   , False         , False     , False     ]),
+        ('signal send peer=/**,'              , [ False   , False         , False     , False     ]),
         ('signal send peer=/what/*,'          , [ False   , False         , False     , False     ]),
         ('signal peer=/foo/bar,'              , [ False   , False         , False     , False     ]),
         ('signal send, # comment'             , [ False   , False         , False     , False     ]),
@@ -413,19 +416,19 @@
         #   rule                                  equal     strict equal    covered     covered exact
         ('signal,'                            , [ False   , False         , False     , False     ]),
         ('signal send,'                       , [ False   , False         , False     , False     ]),
-       #('signal send peer=/foo/bar,'         , [ False   , False         , True      , True      ]),  # XXX several AARE tests
-       #('signal send peer=/foo/*,'           , [ False   , False         , True      , True      ]),
-       #('signal send peer=/**,'              , [ False   , False         , True      , True      ]),
-       #('signal send peer=/what/*,'          , [ False   , False         , True      , True      ]),
+        ('signal send peer=/foo/bar,'         , [ False   , False         , True      , True      ]),
+        ('signal send peer=/foo/*,'           , [ False   , False         , True      , True      ]),
+        ('signal send peer=/**,'              , [ False   , False         , True      , True      ]),
+        ('signal send peer=/what/*,'          , [ False   , False         , True      , True      ]),
         ('signal peer=/foo/bar,'              , [ False   , False         , False     , False     ]),
         ('signal send, # comment'             , [ False   , False         , False     , False     ]),
         ('allow signal send,'                 , [ False   , False         , False     , False     ]),
-       #('allow signal send peer=/foo/bar,'   , [ False   , False         , True      , True      ]),
+        ('allow signal send peer=/foo/bar,'   , [ False   , False         , True      , True      ]),
         ('signal    send,'                    , [ False   , False         , False     , False     ]),
-       #('signal    send peer=/foo/bar,'      , [ False   , False         , True      , True      ]),
-       #('signal    send peer=/what/ever,'    , [ False   , False         , True      , True      ]),
+        ('signal    send peer=/foo/bar,'      , [ False   , False         , True      , True      ]),
+        ('signal    send peer=/what/ever,'    , [ False   , False         , True      , True      ]),
         ('signal send set=quit,'              , [ False   , False         , False     , False     ]),
-       #('signal send set=int peer=/foo/bar,' , [ False   , False         , True      , True      ]),
+        ('signal send set=int peer=/foo/bar,' , [ False   , False         , True      , True      ]),
         ('audit signal send peer=/foo/bar,'   , [ False   , False         , False     , False     ]),
         ('audit signal,'                      , [ False   , False         , False     , False     ]),
         ('signal receive,'                    , [ False   , False         , False     , False     ]),



Regards,

Christian Boltz
-- 
I understand, I am also sure that they would not let me at their code
and internal tools. If they do, I switch disto in a hartbeat, because
that means others with the same level as I have can change stuff.
I don't trust myself. :-)   [houghi in opensuse-wiki]




More information about the AppArmor mailing list