mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

Update is_skippable_file() to match all extensions that are listed in

Browse Source 
libapparmor _aa_is_blacklisted() - some extensions were missing in the
python code.

Also make the code more readable and add some testcases.

Notes:
- the original code additionally ignored *.swp. I didn't include that -
  *.swp looks like vim swap files which are also dot files
- the python code ignores README files, but the C code doesn't
  (do we need to add README in the C code?)


Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz
2015-02-04 13:16:29 +01:00
parent 68a19c4943
commit 9d471cdd73
2 changed files with 57 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
utils/apparmor/aa.py
View File

@@ -2539,15 +2539,23 @@ def validate_profile_mode(mode, allow, nt_name=None):
else: else:
return False return False
# rpm backup files, dotfiles, emacs backup files should not be processed
# The skippable files type needs be synced with apparmor initscript
def is_skippable_file(path): def is_skippable_file(path):
"""Returns True if filename matches something to be skipped""" """Returns True if filename matches something to be skipped (rpm or dpkg backup files, hidden files etc.)
if (re.search('(^|/)\.[^/]*$', path) or re.search('\.rpm(save|new)$', path) The list of skippable files needs to be synced with apparmor initscript and libapparmor _aa_is_blacklisted()
or re.search('\.dpkg-(old|new)$', path) or re.search('\.swp$', path) path: filename (with or without directory)"""
or path[-1] == '~' or path == 'README'):
basename = os.path.basename(path)
if not basename or basename[0] == '.' or basename == 'README':
return True return True
skippable_suffix = ('.dpkg-new', '.dpkg-old', '.dpkg-dist', '.dpkg-bak', '.rpmnew', '.rpmsave', '.orig', '.rej', '~')
if basename.endswith(skippable_suffix):
return True
return False
def is_skippable_dir(path): def is_skippable_dir(path):
if re.search('(disable|cache|force-complain|lxc)', path): if re.search('(disable|cache|force-complain|lxc)', path):
return True return True

44
utils/test/test-aa.py
View File

@@ -15,7 +15,7 @@ import shutil
import tempfile import tempfile
from common_test import write_file from common_test import write_file
from apparmor.aa import check_for_apparmor from apparmor.aa import check_for_apparmor, is_skippable_file
class AaTest_check_for_apparmor(unittest.TestCase): class AaTest_check_for_apparmor(unittest.TestCase):
FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4' FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
@@ -70,6 +70,48 @@ class AaTest_check_for_apparmor(unittest.TestCase):
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir) mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts)) self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))
class AaTest_is_skippable_file(unittest.TestCase):
def test_not_skippable_01(self):
self.assertFalse(is_skippable_file('bin.ping'))
def test_not_skippable_02(self):
self.assertFalse(is_skippable_file('usr.lib.dovecot.anvil'))
def test_not_skippable_03(self):
self.assertFalse(is_skippable_file('bin.~ping'))
def test_not_skippable_04(self):
self.assertFalse(is_skippable_file('bin.rpmsave.ping'))
def test_not_skippable_05(self):
# normally is_skippable_file should be called without directory, but it shouldn't hurt too much
self.assertFalse(is_skippable_file('/etc/apparmor.d/bin.ping'))
def test_not_skippable_06(self):
self.assertFalse(is_skippable_file('bin.pingrej'))
def test_skippable_01(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-new'))
def test_skippable_02(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-old'))
def test_skippable_03(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-dist'))
def test_skippable_04(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-bak'))
def test_skippable_05(self):
self.assertTrue(is_skippable_file('bin.ping.rpmnew'))
def test_skippable_06(self):
self.assertTrue(is_skippable_file('bin.ping.rpmsave'))
def test_skippable_07(self):
self.assertTrue(is_skippable_file('bin.ping.orig'))
def test_skippable_08(self):
self.assertTrue(is_skippable_file('bin.ping.rej'))
def test_skippable_09(self):
self.assertTrue(is_skippable_file('bin.ping~'))
def test_skippable_10(self):
self.assertTrue(is_skippable_file('.bin.ping'))
def test_skippable_11(self):
self.assertTrue(is_skippable_file('')) # empty filename
def test_skippable_12(self):
self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename
def test_skippable_13(self):
self.assertTrue(is_skippable_file('README'))
if __name__ == '__main__': if __name__ == '__main__':
unittest.main(verbosity=2) unittest.main(verbosity=2)