mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-28 12:58:07 +00:00
Code Issues Releases Wiki Activity

MountRule: Add support for empty ("") source

Browse Source 
This needs adding of an empty_ok flag in _aare_or_all().

Also add a few tests from boo#1226031 to utils and parser tests.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1226031
This commit is contained in:
Christian Boltz 2024-06-09 23:03:13 +02:00
parent 900f233101
commit 1f33fc9b29
No known key found for this signature in database
GPG Key ID: C6A682EA63C82F1C
4 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
parser/tst/simple_tests/mount/ok_quoted_1.sd Normal file
View File

@ -0,0 +1,9 @@
#
#=Description basic mount rules with quoted paths
#=EXRESULT PASS
#
/usr/bin/foo {
mount "" -> "/",
mount "" -> "/tmp/",
umount "/",
}

4
utils/apparmor/rule/__init__.py
View File

@ -51,7 +51,7 @@ class BaseRule(metaclass=ABCMeta):
# Set only in the parse() class method # Set only in the parse() class method
self.raw_rule = None self.raw_rule = None
def _aare_or_all(self, rulepart, partname, is_path, log_event): def _aare_or_all(self, rulepart, partname, is_path, log_event, empty_ok=False):
"""checks rulepart and returns """checks rulepart and returns
- (AARE, False) if rulepart is a (non-empty) string - (AARE, False) if rulepart is a (non-empty) string
- (None, True) if rulepart is all_obj (typically *Rule.ALL) - (None, True) if rulepart is all_obj (typically *Rule.ALL)
@ -67,7 +67,7 @@ class BaseRule(metaclass=ABCMeta):
if rulepart == self.ALL: if rulepart == self.ALL:
return None, True return None, True
elif isinstance(rulepart, str): elif isinstance(rulepart, str):
if not rulepart.strip(): if not rulepart.strip() and not empty_ok:
raise AppArmorBug( raise AppArmorBug(
'Passed empty %(partname)s to %(classname)s: %(rulepart)s' 'Passed empty %(partname)s to %(classname)s: %(rulepart)s'
% {'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart)}) % {'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart)})

4
utils/apparmor/rule/mount.py
View File

@ -66,7 +66,7 @@ mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?'
# - A path : /foo # - A path : /foo
# - A globbed Path : ** # - A globbed Path : **
glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*")|\w+))' glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*"|"")|\w+))'
source_fileglob_pattern = glob_pattern % 'source_file' source_fileglob_pattern = glob_pattern % 'source_file'
dest_fileglob_pattern = glob_pattern % 'dest_file' dest_fileglob_pattern = glob_pattern % 'dest_file'
@ -114,7 +114,7 @@ class MountRule(BaseRule):
raise AppArmorException(_('Passed unknown options keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items))) raise AppArmorException(_('Passed unknown options keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items)))
self.is_options_equal = options[0] if not self.all_options else None self.is_options_equal = options[0] if not self.all_options else None
self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event) self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event, empty_ok=True)
self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event)
if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'): if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'):

2
utils/test/test-mount.py
View File

@ -55,6 +55,8 @@ class MountTestParse(AATest):
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', # noqa: E127 MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', # noqa: E127
'/tmp/snap.rootfs_*{,/usr}/lib/modules/', # noqa: E127 '/tmp/snap.rootfs_*{,/usr}/lib/modules/', # noqa: E127
False, False, False, '')), # noqa: E127 False, False, False, '')), # noqa: E127
('mount options=(runbindable, rw) -> /,', MountRule('mount', MountRule.ALL, ('=', ['runbindable', 'rw']), MountRule.ALL, '/', False, False, False, '')),
('mount "" -> /,', MountRule('mount', MountRule.ALL, MountRule.ALL, '', '/', False, False, False, '')),
('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')), ('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')), ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '')), ('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '')),