[6/9] Use DbusRule and DbusRuleset

Change aa.py to use DbusRule and DbusRuleset in profile_storage, parse_profile_data() and write_dbus. This also means we can drop the now unused parse_dbus_rule() and write_dbus_rules() functions. Raw_DBUS_Rule in rules.py is now also unused and can be dropped. Also shorten the list of known-failing tests in test-parser-simple-tests.py. Even if the list of removals doesn't look too long, the generated_dbus/* removals mean 1989 tests now cause the expected failures. OTOH, I had to add 4 tests to the known-failing list: - 3 tests with a "wrong" order of the conditionals which the parser accepts (which is slightly surprising, because usually we enforce the order of rule parts) - one test fails because the path in the path= conditional doesn't start with / or a variable. Instead, it starts with an alternation, which wouldn't be allowed in file rules. Those 4 failures need more investigation, but shouldn't block this patchset. Finally, adjust test-regex_matches.py to import RE_PROFILE_DBUS from apparmor.regex instead of apparmor.aa. Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-22 10:07:12 +00:00 · 2016-05-23 23:17:37 +02:00 · 2016-05-23 23:17:37 +02:00 · a293f066b5
commit a293f066b5
parent e924168708
4 changed files with 17 additions and 72 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -46,7 +46,7 @@ from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
                            RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
                            RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
                            RE_PROFILE_CHANGE_HAT,
-                            RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
+                            RE_PROFILE_HAT_DEF, RE_PROFILE_MOUNT,
                            RE_PROFILE_PIVOT_ROOT,
                            RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
                            strip_quotes, parse_profile_start_line, re_match_include )
@ -55,6 +55,7 @@ import apparmor.rules as aarules

 from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
 from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
+from apparmor.rule.dbus       import DbusRuleset,       DbusRule
 from apparmor.rule.network    import NetworkRuleset,    NetworkRule
 from apparmor.rule.ptrace     import PtraceRuleset,    PtraceRule
 from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule
@ -459,6 +460,7 @@ def profile_storage(profilename, hat, calledby):
    profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby}

    profile['capability']       = CapabilityRuleset()
+    profile['dbus']             = DbusRuleset()
    profile['change_profile']   = ChangeProfileRuleset()
    profile['network']          = NetworkRuleset()
    profile['ptrace']           = PtraceRuleset()
@ -466,7 +468,6 @@ def profile_storage(profilename, hat, calledby):
    profile['signal']           = SignalRuleset()

    profile['allow']['path'] = hasher()
-    profile['allow']['dbus'] = list()
    profile['allow']['mount'] = list()
    profile['allow']['pivot_root'] = list()

@ -2885,28 +2886,11 @@ def parse_profile_data(data, file, do_include):

            profile_data[profile][hat]['network'].add(NetworkRule.parse(line))

-        elif RE_PROFILE_DBUS.search(line):
-            matches = RE_PROFILE_DBUS.search(line).groups()
-
+        elif DbusRule.match(line):
            if not profile:
                raise AppArmorException(_('Syntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)s') % {'file': file, 'line': lineno + 1 })

-            audit = False
-            if matches[0]:
-                audit = True
-            allow = 'allow'
-            if matches[1] and matches[1].strip() == 'deny':
-                allow = 'deny'
-            dbus = matches[2]
-
-            #parse_dbus_rule(profile_data[profile], dbus, audit, allow)
-            dbus_rule = parse_dbus_rule(dbus)
-            dbus_rule.audit = audit
-            dbus_rule.deny = (allow == 'deny')
-
-            dbus_rules = profile_data[profile][hat][allow].get('dbus', list())
-            dbus_rules.append(dbus_rule)
-            profile_data[profile][hat][allow]['dbus'] = dbus_rules
+            profile_data[profile][hat]['dbus'].add(DbusRule.parse(line))

        elif RE_PROFILE_MOUNT.search(line):
            matches = RE_PROFILE_MOUNT.search(line).groups()
@ -3069,18 +3053,6 @@ def parse_profile_data(data, file, do_include):
 # RE_DBUS_ENTRY = re.compile('^dbus\s*()?,\s*$')
 #   use stuff like '(?P<action>(send|write|w|receive|read|r|rw))'

-def parse_dbus_rule(line):
-    # XXX Do real parsing here
-    return aarules.Raw_DBUS_Rule(line)
-
-    #matches = RE_DBUS_ENTRY.search(line).groups()
-    #if len(matches) == 1:
-        # XXX warn?
-        # matched nothing
-    #    print('no matches')
-    #    return aarules.DBUS_Rule()
-    #print(line)
-
 def parse_mount_rule(line):
    # XXX Do real parsing here
    return aarules.Raw_Mount_Rule(line)
@ -3253,22 +3225,10 @@ def write_netdomain(prof_data, depth):
        data = prof_data['network'].get_clean(depth)
    return data

-def write_dbus_rules(prof_data, depth, allow):
-    pre = '  ' * depth
-    data = []
-
-    # no dbus rules, so return
-    if not prof_data[allow].get('dbus', False):
-        return data
-
-    for dbus_rule in prof_data[allow]['dbus']:
-        data.append('%s%s' % (pre, dbus_rule.serialize()))
-    data.append('')
-    return data
-
 def write_dbus(prof_data, depth):
-    data = write_dbus_rules(prof_data, depth, 'deny')
-    data += write_dbus_rules(prof_data, depth, 'allow')
+    data = []
+    if prof_data.get('dbus', False):
+        data = prof_data['dbus'].get_clean(depth)
    return data

 def write_mount_rules(prof_data, depth, allow):
--- a/utils/apparmor/rules.py
+++ b/utils/apparmor/rules.py
@ -65,9 +65,6 @@ class _Raw_Rule(object):
        print('%sraw rule = %s' % (tabs, self.rule))


-class Raw_DBUS_Rule(_Raw_Rule):
-    pass
-
 class Raw_Mount_Rule(_Raw_Rule):
    pass

--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@ -25,15 +25,6 @@ from apparmor.common import open_file_read, AppArmorException

 # XXX tests listed here will be *** SKIPPED *** XXX
 skip_startswith = (
-    # lots of invalid dbus rules (the tools currently just store them without any parsing)
-    'generated_dbus/bad-perms-',
-    'generated_dbus/bad-formatting-',
-    'generated_dbus/duplicated-conditionals-',
-    'generated_dbus/eavesdrop-incompat-',
-    'generated_dbus/message-incompat-',
-    'generated_dbus/pairing-unsupported-',
-    'generated_dbus/service-incompat-',
-
    # the tools don't check for conflicting x permissions (yet?)
    'generated_x/conflict-',
    'generated_x/ambiguous-',
@ -56,14 +47,6 @@ exception_not_raised = [
    'capability/bad_3.sd',
    'capability/bad_4.sd',
    'change_hat/bad_parsing.sd',
-    'dbus/bad_bind_1.sd',
-    'dbus/bad_bind_2.sd',
-    'dbus/bad_eavesdrop_1.sd',
-    'dbus/bad_modifier_1.sd',
-    'dbus/bad_modifier_2.sd',
-    'dbus/bad_modifier_3.sd',
-    'dbus/bad_modifier_4.sd',
-    'dbus/bad_peer_1.sd',
    'dbus/bad_regex_01.sd',
    'dbus/bad_regex_02.sd',
    'dbus/bad_regex_03.sd',
@ -174,8 +157,6 @@ exception_not_raised = [
    'vars/vars_dbus_bad_01.sd',
    'vars/vars_dbus_bad_02.sd',
    'vars/vars_dbus_bad_03.sd',
-    'vars/vars_dbus_bad_04.sd',
-    'vars/vars_dbus_bad_05.sd',
    'vars/vars_dbus_bad_06.sd',
    'vars/vars_dbus_bad_07.sd',
    'vars/vars_file_evaluation_7.sd',
@ -290,7 +271,13 @@ syntax_failure = [
    'xtrans/simple_ok_pix_1.sd',  # Invalid mode pIx
    'xtrans/simple_ok_pux_1.sd',  # Invalid mode rPux

+    # dbus regex mismatch
+    'vars/vars_dbus_4.sd',
+    'vars/vars_dbus_9.sd',
+    'vars/vars_dbus_2.sd',
+
    # misc
+    'vars/vars_dbus_8.sd',  # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}}
    'vars/vars_simple_assignment_12.sd',  # Redefining existing variable @{BAR} ('\' not handled)
    'rewrite/alias_good_5.sd',  # Values added to a non-existing variable @{FOO} (defined in include, lp:1331856)
    'bare_include_tests/ok_2.sd',  # two #include<...> in one line
--- a/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@ -14,7 +14,8 @@ import unittest
 from common_test import AATest, setup_all_loops
 from apparmor.common import AppArmorBug, AppArmorException

-from apparmor.regex import strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include, RE_PROFILE_START, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL
+from apparmor.regex import ( strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include,
+     RE_PROFILE_START, RE_PROFILE_DBUS, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL )


 class AARegexTest(AATest):
@ -256,7 +257,7 @@ class AARegexDbus(AARegexTest):
    '''Tests for RE_PROFILE_DBUS'''

    def AASetup(self):
-        self.regex = aa.RE_PROFILE_DBUS
+        self.regex = RE_PROFILE_DBUS

    tests = [
        ('   dbus,',                                    (None,      None,   'dbus,',                            None,                       None)),