mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

CapabilityRule: Validate given caps against cap list

Browse Source 
... and error out if an unknown capability is given.

This also means recognizing bad capabilities in the parser simple_tests
now works (so remove these from the exception_not_raised list), and that
we can no longer hand over an unknown capability in test-capability.py
to test their severity.
This commit is contained in:
Christian Boltz
2023-10-29 21:31:43 +01:00
parent 5c34655f4a
commit 942202da17
3 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
utils/apparmor/rule/capability.py
View File

@@ -15,7 +15,7 @@
import re import re
from apparmor.common import AppArmorBug from apparmor.common import AppArmorBug, AppArmorException
from apparmor.regex import RE_PROFILE_CAP from apparmor.regex import RE_PROFILE_CAP
from apparmor.rule import BaseRule, BaseRuleset, logprof_value_or_all, parse_modifiers from apparmor.rule import BaseRule, BaseRuleset, logprof_value_or_all, parse_modifiers
from apparmor.translations import init_translation from apparmor.translations import init_translation
@@ -58,8 +58,17 @@ class CapabilityRule(BaseRule):
self.capability = set() self.capability = set()
else: else:
if isinstance(cap_list, str): if isinstance(cap_list, str):
if not cap_list.strip():
raise AppArmorBug('Passed empty/whitespace-only capability to %s: %s' % (type(self).__name__, cap_list))
if cap_list not in capability_keywords:
raise AppArmorException('Passed unknown capability to %s: %s' % (type(self).__name__, cap_list))
self.capability = {cap_list} self.capability = {cap_list}
elif isinstance(cap_list, list) and cap_list: elif isinstance(cap_list, list) and cap_list:
for cap in cap_list:
if not cap.strip():
raise AppArmorBug('Passed empty/whitespace-only capability to %s: %s' % (type(self).__name__, cap))
if cap not in capability_keywords:
raise AppArmorException('Passed unknown capability to %s: %s' % (type(self).__name__, cap))
self.capability = set(cap_list) self.capability = set(cap_list)
else: else:
raise AppArmorBug('Passed unknown object to %s: %s' % (type(self).__name__, str(cap_list))) raise AppArmorBug('Passed unknown object to %s: %s' % (type(self).__name__, str(cap_list)))

1
utils/test/test-capability.py
View File

@@ -460,7 +460,6 @@ class CapabiliySeverityTest(AATest):
('dac_read_search', 7), ('dac_read_search', 7),
(['fsetid', 'dac_read_search'], 9), (['fsetid', 'dac_read_search'], 9),
(CapabilityRule.ALL, 10), (CapabilityRule.ALL, 10),
('foo', 'unknown'),
) )
def _run_test(self, params, expected): def _run_test(self, params, expected):

8
utils/test/test-parser-simple-tests.py
View File

@@ -44,12 +44,6 @@ exception_not_raised = (
'abi/bad_11.sd', 'abi/bad_11.sd',
'abi/bad_12.sd', 'abi/bad_12.sd',
# invalid capabilities (like "foobar"), but syntactically correct
'capability/bad_1.sd',
'capability/bad_2.sd',
'capability/bad_3.sd',
'capability/bad_4.sd',
# interesting[tm] profile name # interesting[tm] profile name
'change_hat/bad_parsing.sd', 'change_hat/bad_parsing.sd',
@@ -176,8 +170,6 @@ exception_not_raised = (
'profile/flags/flags_bad_disconnected_path4.sd', 'profile/flags/flags_bad_disconnected_path4.sd',
'profile/flags/flags_bad_disconnected_path5.sd', 'profile/flags/flags_bad_disconnected_path5.sd',
'profile/profile_ns_bad8.sd', # 'profile :ns/t' without terminating ':' 'profile/profile_ns_bad8.sd', # 'profile :ns/t' without terminating ':'
'ptrace/bad_05.sd', # actually contains a capability rule with invalid (ptrace-related) keyword
'ptrace/bad_06.sd', # actually contains a capability rule with invalid (ptrace-related) keyword
'ptrace/bad_10.sd', # peer with invalid regex 'ptrace/bad_10.sd', # peer with invalid regex
'signal/bad_21.sd', # invalid regex 'signal/bad_21.sd', # invalid regex
'unix/bad_attr_1.sd', 'unix/bad_attr_1.sd',