[apparmor] [patch] [31/38] FileRule: add get_exec_rules_for_path() and get_exec_conflict_rules()
Christian Boltz
apparmor at cboltz.de
Fri Aug 12 21:05:05 UTC 2016
Hello,
get_exec_rules_for_path() returns a FileRuleset with all rules matching
the given path.
get_exec_conflict_rules() returns a FileRuleset with all exec rules that
conflict with the given oldrule. This will be used by aa-mergeprof to
ask the user which rule he wants to keep.
Also add tests for both functions.
[ 31-filerule-exec-conflicts.diff ]
=== modified file ./utils/apparmor/rule/file.py
--- utils/apparmor/rule/file.py 2016-07-31 19:12:31.537453276 +0200
+++ utils/apparmor/rule/file.py 2016-08-07 22:41:08.075674775 +0200
@@ -471,6 +471,36 @@
return {'allow': allow, 'deny': deny, 'paths': paths}
+ def get_exec_rules_for_path(self, path, only_exact_matches=True):
+ '''Get all rules matching the given path that contain exec permissions
+ path can be str or AARE'''
+
+ matches = FileRuleset()
+
+ for rule in self.get_rules_for_path(path).rules:
+ if rule.exec_perms:
+ if rule.path.is_equal(path):
+ matches.add(rule)
+ elif not only_exact_matches:
+ matches.add(rule)
+
+ return matches
+
+ def get_exec_conflict_rules(self, oldrule):
+ '''check if one of the exec rules conflict with oldrule. If yes, return the conflicting rules.'''
+
+ conflictingrules = FileRuleset()
+
+ if oldrule.exec_perms:
+ execrules = self.get_exec_rules_for_path(oldrule.path)
+
+ for mergerule in execrules.rules:
+ if mergerule.exec_perms != oldrule.exec_perms or mergerule.target != oldrule.target:
+ conflictingrules.add(mergerule)
+
+ return conflictingrules
+
+
def split_perms(perm_string, deny):
'''parse permission string
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-07-31 19:12:31.537453276 +0200
+++ utils/test/test-file.py 2016-08-07 22:44:39.574679879 +0200
@@ -976,6 +976,77 @@
perms = ruleset.get_perms_for_path(params[0], params[1], params[2])
self. assertEqual(perms, expected)
+class FileGetExecRulesForPath_1(AATest):
+ tests = [
+ ('/bin/foo', ['audit /bin/foo ix,', ''] ),
+ ('/bin/bar', ['deny /bin/bar x,', ''] ),
+ ('/foo', [] ),
+ ]
+
+ def _run_test(self, params, expected):
+ rules = [
+ '/foo r,',
+ 'audit /bin/foo ix,',
+ '/bin/b* Px,',
+ 'deny /bin/bar x,',
+ ]
+
+ ruleset = FileRuleset()
+ for rule in rules:
+ ruleset.add(FileRule.parse(rule))
+
+ perms = ruleset.get_exec_rules_for_path(params)
+ matches = perms.get_clean()
+ self. assertEqual(matches, expected)
+
+class FileGetExecRulesForPath_2(AATest):
+ tests = [
+ ('/bin/foo', ['audit /bin/foo ix,', ''] ),
+ ('/bin/bar', ['deny /bin/bar x,', '', '/bin/b* Px,', ''] ),
+ ('/foo', [] ),
+ ]
+
+ def _run_test(self, params, expected):
+ rules = [
+ '/foo r,',
+ 'audit /bin/foo ix,',
+ '/bin/b* Px,',
+ 'deny /bin/bar x,',
+ ]
+
+ ruleset = FileRuleset()
+ for rule in rules:
+ ruleset.add(FileRule.parse(rule))
+
+ perms = ruleset.get_exec_rules_for_path(params, only_exact_matches=False)
+ matches = perms.get_clean()
+ self. assertEqual(matches, expected)
+
+class FileGetExecConflictRules_1(AATest):
+ tests = [
+ ('/bin/foo ix,', ['/bin/foo Px,', ''] ),
+ ('/bin/bar Px,', ['deny /bin/bar x,', '', '/bin/bar cx,', ''] ),
+ ('/bin/bar cx,', ['deny /bin/bar x,','',] ),
+ ('/bin/foo r,', [] ),
+ ]
+
+ def _run_test(self, params, expected):
+ rules = [
+ '/foo r,',
+ 'audit /bin/foo ix,',
+ '/bin/foo Px,',
+ '/bin/b* Px,',
+ '/bin/bar cx,',
+ 'deny /bin/bar x,',
+ ]
+
+ ruleset = FileRuleset()
+ for rule in rules:
+ ruleset.add(FileRule.parse(rule))
+
+ rule_obj = FileRule.parse(params)
+ conflicts = ruleset.get_exec_conflict_rules(rule_obj)
+ self. assertEqual(conflicts.get_clean(), expected)
Regards,
Christian Boltz
--
I have to trust my government, even if I don't.
[Carlos E. R. in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/ef971619/attachment.pgp>
More information about the AppArmor
mailing list