mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

utils: Fix priority checking for is_covered

Browse Source 
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true

Fix the logic of is_covered and associated tests.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This commit is contained in:
Maxime Bélair 2025-07-17 10:39:59 +02:00
parent 630fd1c285
commit 380dbb84b8
5 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
utils/apparmor/rule/__init__.py
View File

@ -194,7 +194,7 @@ class BaseRule(metaclass=ABCMeta):
if other_rule.audit and not self.audit:
return False
if check_priority and (self.priority or 0) > (other_rule.priority or 0):
if check_priority and (self.priority or 0) < (other_rule.priority or 0):
return False
# still here? -> then the common part is covered, check rule-specific things now

19
utils/test/test-aa.py
View File

@ -16,7 +16,7 @@ import unittest
import apparmor.aa # needed to set global vars in some tests
from apparmor.aa import (
change_profile_flags, check_for_apparmor, create_new_profile, get_file_perms, get_interpreter_and_abstraction, get_profile_flags,
merged_to_split, parse_profile_data, propose_file_rules, set_options_audit_mode, set_options_owner_mode)
merged_to_split, parse_profile_data, propose_file_rules, set_options_audit_mode, set_options_owner_mode, is_known_rule)
from apparmor.aare import AARE
from apparmor.common import AppArmorBug, AppArmorException, is_skippable_file
from apparmor.rule.file import FileRule
@ -761,6 +761,23 @@ class AaTest_merged_to_split(AATest):
self.assertTrue(result[profile][hat])
class AaTest_is_known_rule(AATest):
tests = (
(FileRule.create_instance("priority=-1 audit deny /foo r,"), True),
(FileRule.create_instance("priority=1 audit deny /foo r,"), False)
)
def _run_test(self, params, expected):
d = '/foo xattrs=(user.bar=bar) flags=(complain) {\n}\n'
fr = FileRule.create_instance("audit deny /foo r,")
prof = parse_profile_data(d.split(), 'somefile', False, False)
prof['/foo']['file'].add(fr)
self.assertEqual(is_known_rule(prof['/foo'], 'file', params), expected)
self.assertEqual(prof['/foo']['file'].is_covered(params), expected)
setup_aa(apparmor.aa)
setup_all_loops(__name__)
if __name__ == '__main__':

4
utils/test/test-dbus.py
View File

@ -733,8 +733,8 @@ class DbusCoveredTest_Priority(DbusCoveredTest):
tests = (
# rule equal strict equal covered covered exact
('priority=-1 dbus send,', (False, False, False, False)),
('priority=1 dbus send,', (False, False, True, True)),
('priority=1 dbus send,', (False, False, False, False)),
('priority=-1 dbus send,', (False, False, True, True)),
('priority=0 dbus send,', (True, False, True, True)),
)

4
utils/test/test-io_uring.py
View File

@ -182,8 +182,8 @@ class IOUringIsCoveredTest(AATest):
def test_is_covered_priority(self):
obj = IOUringRule(IOUringRule.ALL, 'ba*', priority=0)
prio_obj = IOUringRule(IOUringRule.ALL, 'ba*', priority=1)
self.assertTrue(obj.is_covered(prio_obj))
self.assertFalse(prio_obj.is_covered(obj))
self.assertFalse(obj.is_covered(prio_obj))
self.assertTrue(prio_obj.is_covered(obj))
def test_is_covered_priority_2(self):
obj = IOUringRule(IOUringRule.ALL, 'ba*')

4
utils/test/test-unix.py
View File

@ -147,8 +147,8 @@ class UnixIsCoveredTest(AATest):
obj = UnixRule(('accept', 'rw'), {'type': 'F*', 'protocol': 'AA'}, {'addr': 'AA'}, {'addr': 'AA', 'label': 'bb'}, priority=0)
prio_obj = UnixRule(('accept', 'rw'), {'type': 'F*', 'protocol': 'AA'}, {'addr': 'AA'}, {'addr': 'AA', 'label': 'bb'}, priority=1)
self.assertTrue(obj.is_covered(prio_obj))
self.assertFalse(prio_obj.is_covered(obj))
self.assertFalse(obj.is_covered(prio_obj))
self.assertTrue(prio_obj.is_covered(obj))
class UnixLogprofHeaderTest(AATest):