[apparmor] [patch] [6/9] Use DbusRule and DbusRuleset
Seth Arnold
seth.arnold at canonical.com
Fri May 20 23:17:05 UTC 2016
On Sun, Dec 27, 2015 at 04:10:04PM +0100, Christian Boltz wrote:
> Hello,
>
> this patch changes aa.py to use DbusRule and DbusRuleset in profile_storage,
> parse_profile_data() and write_dbus. This also means we can drop the now
> unused parse_dbus_rule() and write_dbus_rules() functions.
>
> Raw_DBUS_Rule in rules.py is now also unused and can be dropped.
>
>
> Also shorten the list of known-failing tests in
> test-parser-simple-tests.py. Even if the list of removals doesn't look
> too long, the generated_dbus/* removals mean 1989 tests now cause the
> expected failures.
>
> OTOH, I had to add 4 tests to the known-failing list:
> - 3 tests with a "wrong" order of the conditionals which the parser
> accepts (which is slightly surprising, because usually we enforce the
> order of rule parts)
> - one test fails because the path in the path= conditional doesn't start
> with / or a variable. Instead, it starts with an alternation, which
> wouldn't be allowed in file rules.
>
> Those 4 failures need more investigation, but shouldn't block this
> patchset.
>
>
> Finally, adjust test-regex_matches.py to import RE_PROFILE_DBUS from
> apparmor.regex instead of apparmor.aa.
>
>
> [ 57-use-DbusRule.diff ]
Acked-by: Seth Arnold <seth.arnold at canonical.com>
THanks
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-12-26 16:23:33.747458693 +0100
> +++ utils/apparmor/aa.py 2015-12-26 16:21:15.120440317 +0100
> @@ -46,7 +46,7 @@
> RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
> RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
> RE_PROFILE_CHANGE_HAT,
> - RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
> + RE_PROFILE_HAT_DEF, RE_PROFILE_MOUNT,
> RE_PROFILE_PIVOT_ROOT,
> RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
> strip_quotes, parse_profile_start_line, re_match_include )
> @@ -55,6 +55,7 @@
>
> from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
> from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
> +from apparmor.rule.dbus import DbusRuleset, DbusRule
> from apparmor.rule.network import NetworkRuleset, NetworkRule
> from apparmor.rule.ptrace import PtraceRuleset, PtraceRule
> from apparmor.rule.rlimit import RlimitRuleset, RlimitRule
> @@ -464,6 +465,7 @@
> profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby}
>
> profile['capability'] = CapabilityRuleset()
> + profile['dbus'] = DbusRuleset()
> profile['change_profile'] = ChangeProfileRuleset()
> profile['network'] = NetworkRuleset()
> profile['ptrace'] = PtraceRuleset()
> @@ -471,7 +473,6 @@
> profile['signal'] = SignalRuleset()
>
> profile['allow']['path'] = hasher()
> - profile['allow']['dbus'] = list()
> profile['allow']['mount'] = list()
> profile['allow']['pivot_root'] = list()
>
> @@ -2908,28 +2909,11 @@
>
> profile_data[profile][hat]['network'].add(NetworkRule.parse(line))
>
> - elif RE_PROFILE_DBUS.search(line):
> - matches = RE_PROFILE_DBUS.search(line).groups()
> -
> + elif DbusRule.match(line):
> if not profile:
> raise AppArmorException(_('Syntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)s') % {'file': file, 'line': lineno + 1 })
>
> - audit = False
> - if matches[0]:
> - audit = True
> - allow = 'allow'
> - if matches[1] and matches[1].strip() == 'deny':
> - allow = 'deny'
> - dbus = matches[2]
> -
> - #parse_dbus_rule(profile_data[profile], dbus, audit, allow)
> - dbus_rule = parse_dbus_rule(dbus)
> - dbus_rule.audit = audit
> - dbus_rule.deny = (allow == 'deny')
> -
> - dbus_rules = profile_data[profile][hat][allow].get('dbus', list())
> - dbus_rules.append(dbus_rule)
> - profile_data[profile][hat][allow]['dbus'] = dbus_rules
> + profile_data[profile][hat]['dbus'].add(DbusRule.parse(line))
>
> elif RE_PROFILE_MOUNT.search(line):
> matches = RE_PROFILE_MOUNT.search(line).groups()
> @@ -3092,18 +3076,6 @@
> # RE_DBUS_ENTRY = re.compile('^dbus\s*()?,\s*$')
> # use stuff like '(?P<action>(send|write|w|receive|read|r|rw))'
>
> -def parse_dbus_rule(line):
> - # XXX Do real parsing here
> - return aarules.Raw_DBUS_Rule(line)
> -
> - #matches = RE_DBUS_ENTRY.search(line).groups()
> - #if len(matches) == 1:
> - # XXX warn?
> - # matched nothing
> - # print('no matches')
> - # return aarules.DBUS_Rule()
> - #print(line)
> -
> def parse_mount_rule(line):
> # XXX Do real parsing here
> return aarules.Raw_Mount_Rule(line)
> @@ -3276,22 +3248,10 @@
> data = prof_data['network'].get_clean(depth)
> return data
>
> -def write_dbus_rules(prof_data, depth, allow):
> - pre = ' ' * depth
> - data = []
> -
> - # no dbus rules, so return
> - if not prof_data[allow].get('dbus', False):
> - return data
> -
> - for dbus_rule in prof_data[allow]['dbus']:
> - data.append('%s%s' % (pre, dbus_rule.serialize()))
> - data.append('')
> - return data
> -
> def write_dbus(prof_data, depth):
> - data = write_dbus_rules(prof_data, depth, 'deny')
> - data += write_dbus_rules(prof_data, depth, 'allow')
> + data = []
> + if prof_data.get('dbus', False):
> + data = prof_data['dbus'].get_clean(depth)
> return data
>
> def write_mount_rules(prof_data, depth, allow):
> === modified file ./utils/apparmor/rules.py
> --- utils/apparmor/rules.py 2015-12-26 16:23:33.747458693 +0100
> +++ utils/apparmor/rules.py 2015-12-26 15:11:59.149032447 +0100
> @@ -29,9 +29,6 @@
> print('%sraw rule = %s' % (tabs, self.rule))
>
>
> -class Raw_DBUS_Rule(_Raw_Rule):
> - pass
> -
> class Raw_Mount_Rule(_Raw_Rule):
> pass
>
> === modified file ./utils/test/test-parser-simple-tests.py
> --- utils/test/test-parser-simple-tests.py 2015-12-26 16:23:33.751458665 +0100
> +++ utils/test/test-parser-simple-tests.py 2015-12-26 14:26:30.415290388 +0100
> @@ -25,15 +25,6 @@
>
> # XXX tests listed here will be *** SKIPPED *** XXX
> skip_startswith = (
> - # lots of invalid dbus rules (the tools currently just store them without any parsing)
> - 'generated_dbus/bad-perms-',
> - 'generated_dbus/bad-formatting-',
> - 'generated_dbus/duplicated-conditionals-',
> - 'generated_dbus/eavesdrop-incompat-',
> - 'generated_dbus/message-incompat-',
> - 'generated_dbus/pairing-unsupported-',
> - 'generated_dbus/service-incompat-',
> -
> # the tools don't check for conflicting x permissions (yet?)
> 'generated_x/conflict-',
> 'generated_x/ambiguous-',
> @@ -56,14 +47,6 @@
> 'capability/bad_3.sd',
> 'capability/bad_4.sd',
> 'change_hat/bad_parsing.sd',
> - 'dbus/bad_bind_1.sd',
> - 'dbus/bad_bind_2.sd',
> - 'dbus/bad_eavesdrop_1.sd',
> - 'dbus/bad_modifier_1.sd',
> - 'dbus/bad_modifier_2.sd',
> - 'dbus/bad_modifier_3.sd',
> - 'dbus/bad_modifier_4.sd',
> - 'dbus/bad_peer_1.sd',
> 'dbus/bad_regex_01.sd',
> 'dbus/bad_regex_02.sd',
> 'dbus/bad_regex_03.sd',
> @@ -173,8 +156,6 @@
> 'vars/vars_dbus_bad_01.sd',
> 'vars/vars_dbus_bad_02.sd',
> 'vars/vars_dbus_bad_03.sd',
> - 'vars/vars_dbus_bad_04.sd',
> - 'vars/vars_dbus_bad_05.sd',
> 'vars/vars_dbus_bad_06.sd',
> 'vars/vars_dbus_bad_07.sd',
> 'vars/vars_file_evaluation_7.sd',
> @@ -289,7 +270,13 @@
> 'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx
> 'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux
>
> + # dbus regex mismatch
> + 'vars/vars_dbus_4.sd',
> + 'vars/vars_dbus_9.sd',
> + 'vars/vars_dbus_2.sd',
> +
> # misc
> + 'vars/vars_dbus_8.sd', # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}}
> 'vars/vars_simple_assignment_12.sd', # Redefining existing variable @{BAR} ('\' not handled)
> 'rewrite/alias_good_5.sd', # Values added to a non-existing variable @{FOO} (defined in include, lp:1331856)
> 'bare_include_tests/ok_2.sd', # two #include<...> in one line
> === modified file ./utils/test/test-regex_matches.py
> --- utils/test/test-regex_matches.py 2015-12-26 16:23:33.751458665 +0100
> +++ utils/test/test-regex_matches.py 2015-12-26 14:28:33.910453604 +0100
> @@ -14,7 +14,8 @@
> from common_test import AATest, setup_all_loops
> from apparmor.common import AppArmorBug, AppArmorException
>
> -from apparmor.regex import strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include, RE_PROFILE_START, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL
> +from apparmor.regex import ( strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include,
> + RE_PROFILE_START, RE_PROFILE_DBUS, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL )
>
>
> class AARegexTest(AATest):
> @@ -256,7 +257,7 @@
> '''Tests for RE_PROFILE_DBUS'''
>
> def AASetup(self):
> - self.regex = aa.RE_PROFILE_DBUS
> + self.regex = RE_PROFILE_DBUS
>
> tests = [
> (' dbus,', (None, None, 'dbus,', None, None)),
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160520/e644fb5d/attachment.pgp>
More information about the AppArmor
mailing list