From ab44dddba9dfdbe3b225f5dc1cf788f5a31d6634 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Mon, 21 Apr 2025 17:32:24 -0300 Subject: [PATCH] utils: add allow keyword to list of unsupported modifiers Some classes don't support modifiers like audit and deny. Only rlimit has been checking for the allow keyword, but the others shouldn't support it as well. Since they all do the same check, refactor them into a method from BaseRule in case more modifiers are added. Signed-off-by: Georgia Garcia (cherry picked from commit 3389230437570a47927d87c82902c37f63c41c45) Signed-off-by: John Johansen --- utils/apparmor/rule/__init__.py | 8 ++++++++ utils/apparmor/rule/alias.py | 7 ++----- utils/apparmor/rule/boolean.py | 7 ++----- utils/apparmor/rule/include.py | 7 ++----- utils/apparmor/rule/rlimit.py | 4 ++-- utils/apparmor/rule/variable.py | 7 ++----- 6 files changed, 18 insertions(+), 22 deletions(-) diff --git a/utils/apparmor/rule/__init__.py b/utils/apparmor/rule/__init__.py index d0fdf80bc..c25f34747 100644 --- a/utils/apparmor/rule/__init__.py +++ b/utils/apparmor/rule/__init__.py @@ -334,6 +334,14 @@ class BaseRule(metaclass=ABCMeta): return '%s%s' % (auditstr, allowstr) + def ensure_modifiers_not_supported(self): + if self.audit: + raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__) + if self.deny: + raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__) + if self.allow_keyword: + raise AppArmorBug('Attempt to initialize %s with allow keyword' % self.__class__.__name__) + class BaseRuleset: """Base class to handle and store a collection of rules""" diff --git a/utils/apparmor/rule/alias.py b/utils/apparmor/rule/alias.py index aca4c530a..952d1ba09 100644 --- a/utils/apparmor/rule/alias.py +++ b/utils/apparmor/rule/alias.py @@ -32,11 +32,8 @@ class AliasRule(BaseRule): super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) - # aliases don't support audit or deny - if audit: - raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__) - if deny: - raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__) + # aliases don't support allow keyword, audit or deny + self.ensure_modifiers_not_supported() if not isinstance(orig_path, str): raise AppArmorBug('Passed unknown type for orig_path to %s: %s' % (self.__class__.__name__, orig_path)) diff --git a/utils/apparmor/rule/boolean.py b/utils/apparmor/rule/boolean.py index 7d24ddda7..c2f877907 100644 --- a/utils/apparmor/rule/boolean.py +++ b/utils/apparmor/rule/boolean.py @@ -33,11 +33,8 @@ class BooleanRule(BaseRule): super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) - # boolean variables don't support audit or deny - if audit: - raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__) - if deny: - raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__) + # boolean variables don't support allow keyword, audit or deny + self.ensure_modifiers_not_supported() if not isinstance(varname, str): raise AppArmorBug('Passed unknown type for boolean variable to %s: %s' % (self.__class__.__name__, varname)) diff --git a/utils/apparmor/rule/include.py b/utils/apparmor/rule/include.py index 6ade58874..02ee86349 100644 --- a/utils/apparmor/rule/include.py +++ b/utils/apparmor/rule/include.py @@ -33,11 +33,8 @@ class IncludeRule(BaseRule): super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) - # include doesn't support audit or deny - if audit: - raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__) - if deny: - raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__) + # include doesn't support allow keyword, audit or deny + self.ensure_modifiers_not_supported() if not isinstance(ifexists, bool): raise AppArmorBug('Passed unknown type for ifexists to %s: %s' % (self.__class__.__name__, ifexists)) diff --git a/utils/apparmor/rule/rlimit.py b/utils/apparmor/rule/rlimit.py index 4bc810563..12888cb82 100644 --- a/utils/apparmor/rule/rlimit.py +++ b/utils/apparmor/rule/rlimit.py @@ -54,8 +54,8 @@ class RlimitRule(BaseRule): super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) - if audit or deny or allow_keyword: - raise AppArmorBug('The audit, allow or deny keywords are not allowed in rlimit rules.') + # rlimit rules don't support allow keyword, audit or deny + self.ensure_modifiers_not_supported() if isinstance(rlimit, str): if rlimit in rlimit_all: diff --git a/utils/apparmor/rule/variable.py b/utils/apparmor/rule/variable.py index 52d63dd95..85ce31263 100644 --- a/utils/apparmor/rule/variable.py +++ b/utils/apparmor/rule/variable.py @@ -35,11 +35,8 @@ class VariableRule(BaseRule): super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) - # variables don't support audit or deny - if audit: - raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__) - if deny: - raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__) + # variables don't support allow keyword, audit or deny + self.ensure_modifiers_not_supported() if not isinstance(varname, str): raise AppArmorBug('Passed unknown type for varname to %s: %s' % (self.__class__.__name__, varname))