mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-28 12:58:07 +00:00
Code Issues Releases Wiki Activity

[6/9] Use DbusRule and DbusRuleset

Browse Source 
Change aa.py to use DbusRule and DbusRuleset in profile_storage,
parse_profile_data() and write_dbus. This also means we can drop the
now unused parse_dbus_rule() and write_dbus_rules() functions.

Raw_DBUS_Rule in rules.py is now also unused and can be dropped.


Also shorten the list of known-failing tests in
test-parser-simple-tests.py. Even if the list of removals doesn't look
too long, the generated_dbus/* removals mean 1989 tests now cause the
expected failures.

OTOH, I had to add 4 tests to the known-failing list:
- 3 tests with a "wrong" order of the conditionals which the parser
  accepts (which is slightly surprising, because usually we enforce the
  order of rule parts)
- one test fails because the path in the path= conditional doesn't start
  with / or a variable. Instead, it starts with an alternation, which
  wouldn't be allowed in file rules.

Those 4 failures need more investigation, but shouldn't block this
patchset.


Finally, adjust test-regex_matches.py to import RE_PROFILE_DBUS from
apparmor.regex instead of apparmor.aa.


Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Christian Boltz 2016-05-23 23:17:37 +02:00
parent e924168708
commit a293f066b5
4 changed files with 17 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
utils/apparmor/aa.py
View File

@ -46,7 +46,7 @@ from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN, RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
RE_PROFILE_CHANGE_HAT, RE_PROFILE_CHANGE_HAT,
RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT, RE_PROFILE_HAT_DEF, RE_PROFILE_MOUNT,
RE_PROFILE_PIVOT_ROOT, RE_PROFILE_PIVOT_ROOT,
RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT, RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
strip_quotes, parse_profile_start_line, re_match_include ) strip_quotes, parse_profile_start_line, re_match_include )
@ -55,6 +55,7 @@ import apparmor.rules as aarules
from apparmor.rule.capability import CapabilityRuleset, CapabilityRule from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
from apparmor.rule.dbus import DbusRuleset, DbusRule
from apparmor.rule.network import NetworkRuleset, NetworkRule from apparmor.rule.network import NetworkRuleset, NetworkRule
from apparmor.rule.ptrace import PtraceRuleset, PtraceRule from apparmor.rule.ptrace import PtraceRuleset, PtraceRule
from apparmor.rule.rlimit import RlimitRuleset, RlimitRule from apparmor.rule.rlimit import RlimitRuleset, RlimitRule
@ -459,6 +460,7 @@ def profile_storage(profilename, hat, calledby):
profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby} profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby}
profile['capability'] = CapabilityRuleset() profile['capability'] = CapabilityRuleset()
profile['dbus'] = DbusRuleset()
profile['change_profile'] = ChangeProfileRuleset() profile['change_profile'] = ChangeProfileRuleset()
profile['network'] = NetworkRuleset() profile['network'] = NetworkRuleset()
profile['ptrace'] = PtraceRuleset() profile['ptrace'] = PtraceRuleset()
@ -466,7 +468,6 @@ def profile_storage(profilename, hat, calledby):
profile['signal'] = SignalRuleset() profile['signal'] = SignalRuleset()
profile['allow']['path'] = hasher() profile['allow']['path'] = hasher()
profile['allow']['dbus'] = list()
profile['allow']['mount'] = list() profile['allow']['mount'] = list()
profile['allow']['pivot_root'] = list() profile['allow']['pivot_root'] = list()
@ -2885,28 +2886,11 @@ def parse_profile_data(data, file, do_include):
profile_data[profile][hat]['network'].add(NetworkRule.parse(line)) profile_data[profile][hat]['network'].add(NetworkRule.parse(line))
elif RE_PROFILE_DBUS.search(line): elif DbusRule.match(line):
matches = RE_PROFILE_DBUS.search(line).groups()
if not profile: if not profile:
raise AppArmorException(_('Syntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)s') % {'file': file, 'line': lineno + 1 }) raise AppArmorException(_('Syntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)s') % {'file': file, 'line': lineno + 1 })
audit = False profile_data[profile][hat]['dbus'].add(DbusRule.parse(line))
if matches[0]:
audit = True
allow = 'allow'
if matches[1] and matches[1].strip() == 'deny':
allow = 'deny'
dbus = matches[2]
#parse_dbus_rule(profile_data[profile], dbus, audit, allow)
dbus_rule = parse_dbus_rule(dbus)
dbus_rule.audit = audit
dbus_rule.deny = (allow == 'deny')
dbus_rules = profile_data[profile][hat][allow].get('dbus', list())
dbus_rules.append(dbus_rule)
profile_data[profile][hat][allow]['dbus'] = dbus_rules
elif RE_PROFILE_MOUNT.search(line): elif RE_PROFILE_MOUNT.search(line):
matches = RE_PROFILE_MOUNT.search(line).groups() matches = RE_PROFILE_MOUNT.search(line).groups()
@ -3069,18 +3053,6 @@ def parse_profile_data(data, file, do_include):
# RE_DBUS_ENTRY = re.compile('^dbus\s*()?,\s*$') # RE_DBUS_ENTRY = re.compile('^dbus\s*()?,\s*$')
# use stuff like '(?P<action>(send|write|w|receive|read|r|rw))' # use stuff like '(?P<action>(send|write|w|receive|read|r|rw))'
def parse_dbus_rule(line):
# XXX Do real parsing here
return aarules.Raw_DBUS_Rule(line)
#matches = RE_DBUS_ENTRY.search(line).groups()
#if len(matches) == 1:
# XXX warn?
# matched nothing
# print('no matches')
# return aarules.DBUS_Rule()
#print(line)
def parse_mount_rule(line): def parse_mount_rule(line):
# XXX Do real parsing here # XXX Do real parsing here
return aarules.Raw_Mount_Rule(line) return aarules.Raw_Mount_Rule(line)
@ -3253,22 +3225,10 @@ def write_netdomain(prof_data, depth):
data = prof_data['network'].get_clean(depth) data = prof_data['network'].get_clean(depth)
return data return data
def write_dbus_rules(prof_data, depth, allow):
pre = ' ' * depth
data = []
# no dbus rules, so return
if not prof_data[allow].get('dbus', False):
return data
for dbus_rule in prof_data[allow]['dbus']:
data.append('%s%s' % (pre, dbus_rule.serialize()))
data.append('')
return data
def write_dbus(prof_data, depth): def write_dbus(prof_data, depth):
data = write_dbus_rules(prof_data, depth, 'deny') data = []
data += write_dbus_rules(prof_data, depth, 'allow') if prof_data.get('dbus', False):
data = prof_data['dbus'].get_clean(depth)
return data return data
def write_mount_rules(prof_data, depth, allow): def write_mount_rules(prof_data, depth, allow):

3
utils/apparmor/rules.py
View File

@ -65,9 +65,6 @@ class _Raw_Rule(object):
print('%sraw rule = %s' % (tabs, self.rule)) print('%sraw rule = %s' % (tabs, self.rule))
class Raw_DBUS_Rule(_Raw_Rule):
pass
class Raw_Mount_Rule(_Raw_Rule): class Raw_Mount_Rule(_Raw_Rule):
pass pass

25
utils/test/test-parser-simple-tests.py
View File

@ -25,15 +25,6 @@ from apparmor.common import open_file_read, AppArmorException
# XXX tests listed here will be *** SKIPPED *** XXX # XXX tests listed here will be *** SKIPPED *** XXX
skip_startswith = ( skip_startswith = (
# lots of invalid dbus rules (the tools currently just store them without any parsing)
'generated_dbus/bad-perms-',
'generated_dbus/bad-formatting-',
'generated_dbus/duplicated-conditionals-',
'generated_dbus/eavesdrop-incompat-',
'generated_dbus/message-incompat-',
'generated_dbus/pairing-unsupported-',
'generated_dbus/service-incompat-',
# the tools don't check for conflicting x permissions (yet?) # the tools don't check for conflicting x permissions (yet?)
'generated_x/conflict-', 'generated_x/conflict-',
'generated_x/ambiguous-', 'generated_x/ambiguous-',
@ -56,14 +47,6 @@ exception_not_raised = [
'capability/bad_3.sd', 'capability/bad_3.sd',
'capability/bad_4.sd', 'capability/bad_4.sd',
'change_hat/bad_parsing.sd', 'change_hat/bad_parsing.sd',
'dbus/bad_bind_1.sd',
'dbus/bad_bind_2.sd',
'dbus/bad_eavesdrop_1.sd',
'dbus/bad_modifier_1.sd',
'dbus/bad_modifier_2.sd',
'dbus/bad_modifier_3.sd',
'dbus/bad_modifier_4.sd',
'dbus/bad_peer_1.sd',
'dbus/bad_regex_01.sd', 'dbus/bad_regex_01.sd',
'dbus/bad_regex_02.sd', 'dbus/bad_regex_02.sd',
'dbus/bad_regex_03.sd', 'dbus/bad_regex_03.sd',
@ -174,8 +157,6 @@ exception_not_raised = [
'vars/vars_dbus_bad_01.sd', 'vars/vars_dbus_bad_01.sd',
'vars/vars_dbus_bad_02.sd', 'vars/vars_dbus_bad_02.sd',
'vars/vars_dbus_bad_03.sd', 'vars/vars_dbus_bad_03.sd',
'vars/vars_dbus_bad_04.sd',
'vars/vars_dbus_bad_05.sd',
'vars/vars_dbus_bad_06.sd', 'vars/vars_dbus_bad_06.sd',
'vars/vars_dbus_bad_07.sd', 'vars/vars_dbus_bad_07.sd',
'vars/vars_file_evaluation_7.sd', 'vars/vars_file_evaluation_7.sd',
@ -290,7 +271,13 @@ syntax_failure = [
'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx 'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx
'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux 'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux
# dbus regex mismatch
'vars/vars_dbus_4.sd',
'vars/vars_dbus_9.sd',
'vars/vars_dbus_2.sd',
# misc # misc
'vars/vars_dbus_8.sd', # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}}
'vars/vars_simple_assignment_12.sd', # Redefining existing variable @{BAR} ('\' not handled) 'vars/vars_simple_assignment_12.sd', # Redefining existing variable @{BAR} ('\' not handled)
'rewrite/alias_good_5.sd', # Values added to a non-existing variable @{FOO} (defined in include, lp:1331856) 'rewrite/alias_good_5.sd', # Values added to a non-existing variable @{FOO} (defined in include, lp:1331856)
'bare_include_tests/ok_2.sd', # two #include<...> in one line 'bare_include_tests/ok_2.sd', # two #include<...> in one line

5
utils/test/test-regex_matches.py
View File

@ -14,7 +14,8 @@ import unittest
from common_test import AATest, setup_all_loops from common_test import AATest, setup_all_loops
from apparmor.common import AppArmorBug, AppArmorException from apparmor.common import AppArmorBug, AppArmorException
from apparmor.regex import strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include, RE_PROFILE_START, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL from apparmor.regex import ( strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include,
RE_PROFILE_START, RE_PROFILE_DBUS, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL )
class AARegexTest(AATest): class AARegexTest(AATest):
@ -256,7 +257,7 @@ class AARegexDbus(AARegexTest):
'''Tests for RE_PROFILE_DBUS''' '''Tests for RE_PROFILE_DBUS'''
def AASetup(self): def AASetup(self):
self.regex = aa.RE_PROFILE_DBUS self.regex = RE_PROFILE_DBUS
tests = [ tests = [
(' dbus,', (None, None, 'dbus,', None, None)), (' dbus,', (None, None, 'dbus,', None, None)),