[apparmor] [patch] [17/38] Implement globbing in FileRule
Christian Boltz
apparmor at cboltz.de
Fri Aug 12 20:57:08 UTC 2016
Hello,
this patch adds the glob() and glob_ext() functions to FileRule, and sets
self.can_glob and self.can_glob_ext. Also add some tests (just enough to
make sure the FileRule integration works - the globbing is handled
inside AARE,and the AARE tests contain more testcases).
Note that the implementation differs from the original plan (which was
to have globbing in *Ruleset). Therefore add can_glob and can_glob_ext
to BaseRule (both default to False), and add a comment to BaseRuleset
that globbing needs to be removed from all *Ruleset classes.
[ 17-FileRule-implement-globbing.diff ]
=== modified file ./utils/apparmor/rule/file.py
--- utils/apparmor/rule/file.py 2016-03-28 17:32:56.609926116 +0200
+++ utils/apparmor/rule/file.py 2016-03-28 18:52:17.516735648 +0200
@@ -64,6 +64,9 @@
self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event)
self.target, self.all_targets, = self._aare_or_all(target, 'target', False, log_event)
+ self.can_glob = not self.all_paths
+ self.can_glob_ext = not self.all_paths
+
if type_is_str(perms):
perms, tmp_exec_perms = split_perms(perms, deny)
if tmp_exec_perms:
@@ -320,14 +323,27 @@
# file_keyword and leading_perms are not really relevant
]
+ def glob(self):
+ '''Change path to next possible glob'''
+ if self.all_paths:
+ return
+
+ self.path = self.path.glob_path()
+ self.raw_rule = None
+
+ def glob_ext(self):
+ '''Change path to next possible glob with extension'''
+ if self.all_paths:
+ return
+
+ self.path = self.path.glob_path_withext()
+ self.raw_rule = None
+
class FileRuleset(BaseRuleset):
'''Class to handle and store a collection of file rules'''
- def get_glob(self, path_or_rule):
- '''Return the next possible glob. For file rules, that means removing owner or globbing the path'''
- # XXX only remove one part, not all
- return 'file,'
+ pass
def split_perms(perm_string, deny):
=== modified file ./utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py 2016-03-28 17:32:56.601926157 +0200
+++ utils/apparmor/rule/__init__.py 2016-03-28 17:53:05.623627412 +0200
@@ -39,6 +39,10 @@
# is_equal_localvars(self, other_rule)
# - equality check for the rule-specific fields
+ # decides if the (G)lob and Glob w/ (E)xt options are displayed
+ can_glob = False
+ can_glob_ext = False
+
def __init__(self, audit=False, deny=False, allow_keyword=False,
comment='', log_event=None):
'''initialize variables needed by all rule types'''
@@ -291,6 +295,7 @@
'''Base class to handle and store a collection of rules'''
# decides if the (G)lob and Glob w/ (E)xt options are displayed
+ # XXX TODO: remove in all *Ruleset classes (moved to *Rule)
can_glob = True
can_glob_ext = False
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-03-28 17:32:56.609926116 +0200
+++ utils/test/test-file.py 2016-03-28 18:39:47.232683951 +0200
@@ -317,7 +317,34 @@
with self.assertRaises(AppArmorBug):
self.obj.get_clean(1)
+class FileGlobTest(AATest):
+ def _run_test(self, params, expected):
+ exp_can_glob, exp_can_glob_ext, exp_rule_glob, exp_rule_glob_ext = expected
+
+ # test glob()
+ rule_obj = FileRule.parse(params)
+ self.assertEqual(exp_can_glob, rule_obj.can_glob)
+ self.assertEqual(exp_can_glob_ext, rule_obj.can_glob_ext)
+
+ rule_obj.glob()
+ self.assertEqual(rule_obj.get_clean(), exp_rule_glob)
+
+ # test glob_ext()
+ rule_obj = FileRule.parse(params)
+ self.assertEqual(exp_can_glob, rule_obj.can_glob)
+ self.assertEqual(exp_can_glob_ext, rule_obj.can_glob_ext)
+ rule_obj.glob_ext()
+ self.assertEqual(rule_obj.get_clean(), exp_rule_glob_ext)
+
+ tests = [
+ # rule can glob can glob_ext globbed rule globbed_ext rule
+ ('/foo/bar r,', (True, True, '/foo/* r,', '/foo/bar r,')),
+ ('/foo/* r,', (True, True, '/** r,', '/foo/* r,')),
+ ('/foo/bar.xy r,', (True, True, '/foo/* r,', '/foo/*.xy r,')),
+ ('/foo/*.xy r,', (True, True, '/foo/* r,', '/**.xy r,')),
+ ('file,', (False, False, 'file,', 'file,')), # bare 'file,' rules can't be globbed
+ ]
class WriteFileTest(AATest):
def _run_test(self, rawrule, expected):
@@ -760,24 +787,6 @@
self.assertEqual(expected_clean, ruleset.get_clean(1))
-#class FileGlobTest(AATest):
-# XXX not (really) implemented yet
-# def setUp(self):
-# self.maxDiff = None
-# self.ruleset = FileRuleset()
-#
-# def test_glob_1(self):
-# self.assertEqual(self.ruleset.get_glob('file send,'), 'file,')
-#
-# # not supported or used yet
-# # def test_glob_2(self):
-# # self.assertEqual(self.ruleset.get_glob('file send raw,'), 'file send,')
-#
-# def test_glob_ext(self):
-# with self.assertRaises(NotImplementedError):
-# # get_glob_ext is not available for file rules
-# self.ruleset.get_glob_ext('file send peer=(label=foo),')
-
#class FileDeleteTest(AATest):
# pass
Regards,
Christian Boltz
--
Leider ist hier nicht SuSe Talk [...], denn sonst würde ich hier diese
Trolls, ...... unter einen solchen Psychoterror setzen, dass die die
Alkaida Sprengen hehe..... [Thilo Alfred Bätzig in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/754606fb/attachment.pgp>
More information about the AppArmor
mailing list