utils: fix unix qualifier clean rule generation

The wrong clean rule is generated when unix rules contain qualifiers, with the order inverted with the rule name. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/511 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-04-17 20:28:29 -03:00 · 2025-04-17 20:28:29 -03:00 · 8c84b36b32
commit 8c84b36b32
parent cda9153772
2 changed files with 6 additions and 1 deletions
--- a/utils/apparmor/rule/unix.py
+++ b/utils/apparmor/rule/unix.py
@ -133,7 +133,7 @@ class UnixRule(BaseRule):
        rule_conds = print_dict_values(self.rule_conds, self.ALL)
        local_expr = print_dict_values(self.local_expr, self.ALL)
        peer_expr = print_dict_values(self.peer_expr, self.ALL, 'peer')
-        return f'{space}unix{self.modifiers_str()}{accesses}{rule_conds}{local_expr}{peer_expr},{self.comment}'
+        return f'{space}{self.modifiers_str()}unix{accesses}{rule_conds}{local_expr}{peer_expr},{self.comment}'

    def _is_covered_localvars(self, other_rule):
        if not self._is_covered_list(self.accesses, self.all_accesses, other_rule.accesses, other_rule.all_accesses, 'accesses'):
--- a/utils/test/test-unix.py
+++ b/utils/test/test-unix.py
@ -166,6 +166,11 @@ class UnixTestGlob(AATest):

 class UnixTestClean(AATest):
    tests = (
+        ('     audit  unix                                                                                                              ,    # foo  ', 'audit unix, # foo'),
+        ('     audit deny unix                                                   label  =  foo                                          ,           ', 'audit deny unix label=foo,'),
+        ('     audit allow unix                                                  peer  =  (addr  =  a)                                  ,    # foo  ', 'audit allow unix peer=(addr=a), # foo'),
+        ('     deny unix                                                   type  =  foo                                                 ,           ', 'deny unix type=foo,'),
+        ('     allow unix                                                              peer  =  (label=bb)                              ,    # foo  ', 'allow unix peer=(label=bb), # foo'),
        ('     unix                                                                                                                     ,    # foo  ', 'unix, # foo'),
        ('     unix                                                   addr  =  foo                                                      ,           ', 'unix addr=foo,'),
        ('     unix    (  accept  , rw)  protocol  =  AA  type =  BB  opt  =  myopt  label  =  bb peer  =  (addr  =  a label  =  bb )   ,           ', 'unix (accept, rw) type=BB protocol=AA label=bb opt=myopt peer=(addr=a label=bb),'),