mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 07:15:18 +00:00
Code Issues Releases Wiki Activity

Merge branch 'cboltz-file-w-covered-by-a' into 'master'

Browse Source 
FileRule: detect that 'a' is covered by 'w'

See merge request apparmor/apparmor!23

Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2017-12-12 22:40:49 +00:00
parent a5e5185e15 a0d4e246ab
commit 6483c627d2
2 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
utils/apparmor/rule/file.py
View File

@@ -241,9 +241,9 @@ class FileRule(BaseRule):
if not self._is_covered_aare(self.path, self.all_paths, other_rule.path, other_rule.all_paths, 'path'): if not self._is_covered_aare(self.path, self.all_paths, other_rule.path, other_rule.all_paths, 'path'):
return False return False
# TODO: check 'a' vs. 'w'
# perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()... # perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()...
if not self._is_covered_list(self.perms, self.all_perms, other_rule.perms, other_rule.all_perms, 'perms', sanity_check=False): # 'w' covers 'a', therefore use perms_with_a() to temporarily add 'a' if 'w' is present
if not self._is_covered_list(perms_with_a(self.perms), self.all_perms, perms_with_a(other_rule.perms), other_rule.all_perms, 'perms', sanity_check=False):
return False return False
# ... and do our own sanity check # ... and do our own sanity check
@@ -533,3 +533,15 @@ def split_perms(perm_string, deny):
raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string)) raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string))
return perms, exec_mode return perms, exec_mode
def perms_with_a(perms):
'''if perms includes 'w', add 'a' perms
- perms: the original permissions
'''
perms_with_a = set()
if perms:
perms_with_a = set(perms)
if 'w' in perms_with_a:
perms_with_a.add('a')
return perms_with_a

22
utils/test/test-file.py
View File

@@ -585,6 +585,28 @@ class FileCoveredTest_05(FileCoveredTest):
('/foo mrwPx -> bar,' , [ False , False , False , False ]), ('/foo mrwPx -> bar,' , [ False , False , False , False ]),
] ]
class FileCoveredTest_06(FileCoveredTest):
rule = 'deny /foo w,'
tests = [
# rule equal strict equal covered covered exact
('/foo w,' , [ False , False , False , False ]),
('/foo a,' , [ False , False , False , False ]),
('deny /foo w,' , [ True , True , True , True ]),
('deny /foo a,' , [ False , False , True , True ]),
]
class FileCoveredTest_07(FileCoveredTest):
rule = '/foo w,'
tests = [
# rule equal strict equal covered covered exact
('/foo w,' , [ True , True , True , True ]),
('/foo a,' , [ False , False , True , True ]),
('deny /foo w,' , [ False , False , False , False ]),
('deny /foo a,' , [ False , False , False , False ]),
]
class FileCoveredTest_ManualOrInvalid(AATest): class FileCoveredTest_ManualOrInvalid(AATest):
def AASetup(self): def AASetup(self):
#FileRule# path, perms, exec_perms, target, owner, file_keyword, leading_perms #FileRule# path, perms, exec_perms, target, owner, file_keyword, leading_perms