VariableRuleset: Prevent re-defining variables

When adding a variable with a name that is already known to the VariableRuleset, raise an exception. Also add a test for this.
2025-08-31 06:16:03 +00:00 · 2020-05-21 23:00:47 +02:00
parent 39eb1939ba
commit 61db5595aa
2 changed files with 19 additions and 1 deletions
--- a/utils/apparmor/rule/variable.py
+++ b/utils/apparmor/rule/variable.py
@@ -137,7 +137,19 @@ class VariableRule(BaseRule):

 class VariableRuleset(BaseRuleset):
    '''Class to handle and store a collection of variable rules'''
-    pass
+
+    def add(self, rule, cleanup=False):
+        ''' Add variable rule object
+
+            If the variable name is already known, raise an exception because re-defining a variable isn't allowed.
+        '''
+
+        if rule.mode == '=':
+            for knownrule in self.rules:
+                if rule.varname == knownrule.varname:
+                    raise AppArmorException(_('Redefining existing variable %(variable)s: %(value)s') % { 'variable': rule.varname, 'value': rule.values })
+
+        super(VariableRuleset, self).add(rule, cleanup)

 def separate_vars(vs):
    """Returns a list of all the values for a variable"""
--- a/utils/test/test-variable.py
+++ b/utils/test/test-variable.py
@@ -354,6 +354,12 @@ class VariableRulesTest(AATest):
        self.assertEqual(expected_clean, ruleset.get_clean())
        self.assertEqual(expected_clean_unsorted, ruleset.get_clean_unsorted())

+    def test_ruleset_overwrite(self):
+        ruleset = VariableRuleset()
+
+        ruleset.add(VariableRule.parse('@{foo} = /bar'))
+        with self.assertRaises(AppArmorException):
+            ruleset.add(VariableRule.parse('@{foo} = /asdf'))  # attempt to redefine @{foo}

 class VariableGlobTestAATest(AATest):
    def setUp(self):