Raise an exception if sub_str_to_mode() is called with invalid mode

string or if a mode_char is not in MODE_HASH.

Also update the testcase for "asdf42" (which raises AppArmorBug now)
and add a test that simulates MODE_HASH and MODE_MAP_SET getting out
of sync (tests the second part of the if condition).


Acked-by: Steve Beattie <steve@nxnw.org>

utils/apparmor/aamode.py

@@ -90,10 +90,10 @@ def sub_str_to_mode(string):
     mode = set()
 
     for mode_char in string:
-        if mode_char not in MODE_MAP_SET:
-            break
-        if MODE_HASH.get(mode_char, False):
+        if mode_char in MODE_MAP_SET and MODE_HASH.get(mode_char, False):
             mode |= MODE_HASH[mode_char]
+        else:
+            raise AppArmorBug("Mode string '%s' contains invalid char '%s'" % (string, mode_char))
 
     return mode
 

utils/test/test-aamode.py

@@ -46,11 +46,22 @@ class AamodeTest_sub_str_to_mode(unittest.TestCase):
         self.assertEqual(sub_str_to_mode('cix'), {'i', 'x', 'C', 'execunsafe'})
     def test_sub_str_to_mode_7(self):
         self.assertEqual(sub_str_to_mode('rwlk'), {'k', 'r', 'l', 'w'})
-    def test_sub_str_to_mode_8(self):
-        self.assertEqual(sub_str_to_mode('asdf42'), {'a'})
     def test_sub_str_to_mode_dupes(self):
         self.assertEqual(sub_str_to_mode('rwrwrw'), {'r', 'w'})
 
+    def test_sub_str_to_mode_invalid_1(self):
+        with self.assertRaises(AppArmorBug):
+            sub_str_to_mode('asdf42')
+
+    def test_sub_str_to_mode_invalid_2(self):
+        import apparmor.aamode
+        apparmor.aamode.MODE_HASH = {'x': 'foo'}  # simulate MODE_HASH and MODE_MAP_SET getting out of sync
+
+        with self.assertRaises(AppArmorBug):
+            sub_str_to_mode('r')
+
+
+
 class AamodeTest_validate_log_mode(unittest.TestCase):
     def test_validate_log_mode_1(self):
         self.assertTrue(validate_log_mode('a'))