Update is_skippable_file() to match all extensions that are listed in

libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2025-08-31 06:16:03 +00:00 · 2015-02-04 13:16:29 +01:00
parent 68a19c4943
commit 9d471cdd73
2 changed files with 57 additions and 7 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -2539,15 +2539,23 @@ def validate_profile_mode(mode, allow, nt_name=None):
        else:
            return False

-# rpm backup files, dotfiles, emacs backup files should not be processed
-# The skippable files type needs be synced with apparmor initscript
+
 def is_skippable_file(path):
-    """Returns True if filename matches something to be skipped"""
-    if (re.search('(^|/)\.[^/]*$', path) or re.search('\.rpm(save|new)$', path)
-            or re.search('\.dpkg-(old|new)$', path) or re.search('\.swp$', path)
-            or path[-1] == '~' or path == 'README'):
+    """Returns True if filename matches something to be skipped (rpm or dpkg backup files, hidden files etc.)
+        The list of skippable files needs to be synced with apparmor initscript and libapparmor _aa_is_blacklisted()
+        path: filename (with or without directory)"""
+
+    basename = os.path.basename(path)
+
+    if not basename or basename[0] == '.' or basename == 'README':
        return True

+    skippable_suffix = ('.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.rpmnew', '.rpmsave', '.orig', '.rej', '~')
+    if basename.endswith(skippable_suffix):
+        return True
+
+    return False
+
 def is_skippable_dir(path):
    if re.search('(disable|cache|force-complain|lxc)', path):
        return True
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -15,7 +15,7 @@ import shutil
 import tempfile
 from common_test import write_file

-from apparmor.aa import check_for_apparmor
+from apparmor.aa import check_for_apparmor, is_skippable_file

 class AaTest_check_for_apparmor(unittest.TestCase):
    FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
@@ -70,6 +70,48 @@ class AaTest_check_for_apparmor(unittest.TestCase):
        mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
        self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))

+class AaTest_is_skippable_file(unittest.TestCase):
+    def test_not_skippable_01(self):
+        self.assertFalse(is_skippable_file('bin.ping'))
+    def test_not_skippable_02(self):
+        self.assertFalse(is_skippable_file('usr.lib.dovecot.anvil'))
+    def test_not_skippable_03(self):
+        self.assertFalse(is_skippable_file('bin.~ping'))
+    def test_not_skippable_04(self):
+        self.assertFalse(is_skippable_file('bin.rpmsave.ping'))
+    def test_not_skippable_05(self):
+        # normally is_skippable_file should be called without directory, but it shouldn't hurt too much
+        self.assertFalse(is_skippable_file('/etc/apparmor.d/bin.ping'))
+    def test_not_skippable_06(self):
+        self.assertFalse(is_skippable_file('bin.pingrej'))
+
+    def test_skippable_01(self):
+        self.assertTrue(is_skippable_file('bin.ping.dpkg-new'))
+    def test_skippable_02(self):
+        self.assertTrue(is_skippable_file('bin.ping.dpkg-old'))
+    def test_skippable_03(self):
+        self.assertTrue(is_skippable_file('bin.ping..dpkg-dist'))
+    def test_skippable_04(self):
+        self.assertTrue(is_skippable_file('bin.ping..dpkg-bak'))
+    def test_skippable_05(self):
+        self.assertTrue(is_skippable_file('bin.ping.rpmnew'))
+    def test_skippable_06(self):
+        self.assertTrue(is_skippable_file('bin.ping.rpmsave'))
+    def test_skippable_07(self):
+        self.assertTrue(is_skippable_file('bin.ping.orig'))
+    def test_skippable_08(self):
+        self.assertTrue(is_skippable_file('bin.ping.rej'))
+    def test_skippable_09(self):
+        self.assertTrue(is_skippable_file('bin.ping~'))
+    def test_skippable_10(self):
+        self.assertTrue(is_skippable_file('.bin.ping'))
+    def test_skippable_11(self):
+        self.assertTrue(is_skippable_file(''))  # empty filename
+    def test_skippable_12(self):
+        self.assertTrue(is_skippable_file('/etc/apparmor.d/'))  # directory without filename
+    def test_skippable_13(self):
+        self.assertTrue(is_skippable_file('README'))
+

 if __name__ == '__main__':
    unittest.main(verbosity=2)