mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

FileRule: detect that 'a' is covered by 'w'

Browse Source 
References: https://bugs.launchpad.net/apparmor/+bug/1385474
This commit is contained in:
Christian Boltz
2017-12-03 17:51:04 +01:00
parent 1857f07d08
commit a0d4e246ab
2 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
utils/apparmor/rule/file.py
View File

@@ -241,9 +241,9 @@ class FileRule(BaseRule):
if not self._is_covered_aare(self.path, self.all_paths, other_rule.path, other_rule.all_paths, 'path'): if not self._is_covered_aare(self.path, self.all_paths, other_rule.path, other_rule.all_paths, 'path'):
return False return False
# TODO: check 'a' vs. 'w'
# perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()... # perms can be empty if only exec_perms are specified, therefore disable the sanity check in _is_covered_list()...
if not self._is_covered_list(self.perms, self.all_perms, other_rule.perms, other_rule.all_perms, 'perms', sanity_check=False): # 'w' covers 'a', therefore use perms_with_a() to temporarily add 'a' if 'w' is present
if not self._is_covered_list(perms_with_a(self.perms), self.all_perms, perms_with_a(other_rule.perms), other_rule.all_perms, 'perms', sanity_check=False):
return False return False
# ... and do our own sanity check # ... and do our own sanity check
@@ -533,3 +533,15 @@ def split_perms(perm_string, deny):
raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string)) raise AppArmorException(_('permission contains unknown character(s) %s' % perm_string))
return perms, exec_mode return perms, exec_mode
def perms_with_a(perms):
'''if perms includes 'w', add 'a' perms
- perms: the original permissions
'''
perms_with_a = set()
if perms:
perms_with_a = set(perms)
if 'w' in perms_with_a:
perms_with_a.add('a')
return perms_with_a

4
utils/test/test-file.py
View File

@@ -593,7 +593,7 @@ class FileCoveredTest_06(FileCoveredTest):
('/foo w,' , [ False , False , False , False ]), ('/foo w,' , [ False , False , False , False ]),
('/foo a,' , [ False , False , False , False ]), ('/foo a,' , [ False , False , False , False ]),
('deny /foo w,' , [ True , True , True , True ]), ('deny /foo w,' , [ True , True , True , True ]),
('deny /foo a,' , [ False , False , False , False ]), # XXX should be covered ('deny /foo a,' , [ False , False , True , True ]),
] ]
class FileCoveredTest_07(FileCoveredTest): class FileCoveredTest_07(FileCoveredTest):
@@ -602,7 +602,7 @@ class FileCoveredTest_07(FileCoveredTest):
tests = [ tests = [
# rule equal strict equal covered covered exact # rule equal strict equal covered covered exact
('/foo w,' , [ True , True , True , True ]), ('/foo w,' , [ True , True , True , True ]),
('/foo a,' , [ False , False , False , False ]), # XXX should be covered ('/foo a,' , [ False , False , True , True ]),
('deny /foo w,' , [ False , False , False , False ]), ('deny /foo w,' , [ False , False , False , False ]),
('deny /foo a,' , [ False , False , False , False ]), ('deny /foo a,' , [ False , False , False , False ]),
] ]