Merge branch 'cboltz-file-w-covered-by-a' into 'master'

FileRule: detect that 'a' is covered by 'w' See merge request apparmor/apparmor!23 Acked-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2017-12-12 22:40:49 +00:00
parent a5e5185e15 a0d4e246ab
commit 6483c627d2
2 changed files with 36 additions and 2 deletions
--- a/utils/apparmor/rule/file.py
+++ b/utils/apparmor/rule/file.py
@@ -241,9 +241,9 @@ class FileRule(BaseRule):
        if not self._is_covered_aare(self.path,         self.all_paths,         other_rule.path,        other_rule.all_paths,           'path'):
            return False

-        # TODO: check 'a' vs. 'w'
        # perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()...
-        if not self._is_covered_list(self.perms,        self.all_perms,         other_rule.perms,       other_rule.all_perms,           'perms', sanity_check=False):
+        # 'w' covers 'a', therefore use perms_with_a() to temporarily add 'a' if 'w' is present
+        if not self._is_covered_list(perms_with_a(self.perms), self.all_perms,  perms_with_a(other_rule.perms), other_rule.all_perms,   'perms', sanity_check=False):
            return False

        # ... and do our own sanity check
@@ -533,3 +533,15 @@ def split_perms(perm_string, deny):
            raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string))

    return perms, exec_mode
+
+def perms_with_a(perms):
+    '''if perms includes 'w', add 'a' perms
+       - perms: the original permissions
+    '''
+    perms_with_a = set()
+    if perms:
+        perms_with_a = set(perms)
+        if 'w' in perms_with_a:
+            perms_with_a.add('a')
+
+    return perms_with_a
--- a/utils/test/test-file.py
+++ b/utils/test/test-file.py
@@ -585,6 +585,28 @@ class FileCoveredTest_05(FileCoveredTest):
        ('/foo mrwPx -> bar,'                           , [ False   , False         , False     , False     ]),
    ]

+class FileCoveredTest_06(FileCoveredTest):
+    rule = 'deny /foo w,'
+
+    tests = [
+        #   rule                                            equal     strict equal    covered     covered exact
+        ('/foo w,'                                      , [ False   , False         , False     , False     ]),
+        ('/foo a,'                                      , [ False   , False         , False     , False     ]),
+        ('deny /foo w,'                                 , [ True    , True          , True      , True      ]),
+        ('deny /foo a,'                                 , [ False   , False         , True      , True      ]),
+    ]
+
+class FileCoveredTest_07(FileCoveredTest):
+    rule = '/foo w,'
+
+    tests = [
+        #   rule                                            equal     strict equal    covered     covered exact
+        ('/foo w,'                                      , [ True    , True          , True      , True      ]),
+        ('/foo a,'                                      , [ False   , False         , True      , True      ]),
+        ('deny /foo w,'                                 , [ False   , False         , False     , False     ]),
+        ('deny /foo a,'                                 , [ False   , False         , False     , False     ]),
+    ]
+
 class FileCoveredTest_ManualOrInvalid(AATest):
    def AASetup(self):
        #FileRule#                 path,           perms,  exec_perms, target,         owner,  file_keyword,   leading_perms