FileRule: detect that 'a' is covered by 'w'

References: https://bugs.launchpad.net/apparmor/+bug/1385474
2025-09-01 23:05:11 +00:00 · 2017-12-03 17:51:04 +01:00
parent 1857f07d08
commit a0d4e246ab
2 changed files with 16 additions and 4 deletions
--- a/utils/apparmor/rule/file.py
+++ b/utils/apparmor/rule/file.py
@@ -241,9 +241,9 @@ class FileRule(BaseRule):
        if not self._is_covered_aare(self.path,         self.all_paths,         other_rule.path,        other_rule.all_paths,           'path'):
            return False

-        # TODO: check 'a' vs. 'w'
        # perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()...
-        if not self._is_covered_list(self.perms,        self.all_perms,         other_rule.perms,       other_rule.all_perms,           'perms', sanity_check=False):
+        # 'w' covers 'a', therefore use perms_with_a() to temporarily add 'a' if 'w' is present
+        if not self._is_covered_list(perms_with_a(self.perms), self.all_perms,  perms_with_a(other_rule.perms), other_rule.all_perms,   'perms', sanity_check=False):
            return False

        # ... and do our own sanity check
@@ -533,3 +533,15 @@ def split_perms(perm_string, deny):
            raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string))

    return perms, exec_mode
+
+def perms_with_a(perms):
+    '''if perms includes 'w', add 'a' perms
+       - perms: the original permissions
+    '''
+    perms_with_a = set()
+    if perms:
+        perms_with_a = set(perms)
+        if 'w' in perms_with_a:
+            perms_with_a.add('a')
+
+    return perms_with_a
--- a/utils/test/test-file.py
+++ b/utils/test/test-file.py
@@ -593,7 +593,7 @@ class FileCoveredTest_06(FileCoveredTest):
        ('/foo w,'                                      , [ False   , False         , False     , False     ]),
        ('/foo a,'                                      , [ False   , False         , False     , False     ]),
        ('deny /foo w,'                                 , [ True    , True          , True      , True      ]),
-        ('deny /foo a,'                                 , [ False   , False         , False     , False     ]),  # XXX should be covered
+        ('deny /foo a,'                                 , [ False   , False         , True      , True      ]),
    ]

 class FileCoveredTest_07(FileCoveredTest):
@@ -602,7 +602,7 @@ class FileCoveredTest_07(FileCoveredTest):
    tests = [
        #   rule                                            equal     strict equal    covered     covered exact
        ('/foo w,'                                      , [ True    , True          , True      , True      ]),
-        ('/foo a,'                                      , [ False   , False         , False     , False     ]),  # XXX should be covered
+        ('/foo a,'                                      , [ False   , False         , True      , True      ]),
        ('deny /foo w,'                                 , [ False   , False         , False     , False     ]),
        ('deny /foo a,'                                 , [ False   , False         , False     , False     ]),
    ]