mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

utils: add allow keyword to list of unsupported modifiers

Browse Source 
Some classes don't support modifiers like audit and deny. Only rlimit
has been checking for the allow keyword, but the others shouldn't
support it as well. Since they all do the same check, refactor them
into a method from BaseRule in case more modifiers are added.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 3389230437570a47927d87c82902c37f63c41c45)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Georgia Garcia 2025-04-21 17:32:24 -03:00 committed by John Johansen
parent 3d14d51253
commit ab44dddba9
6 changed files with 18 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
utils/apparmor/rule/__init__.py
View File

@ -334,6 +334,14 @@ class BaseRule(metaclass=ABCMeta):
return '%s%s' % (auditstr, allowstr) return '%s%s' % (auditstr, allowstr)
def ensure_modifiers_not_supported(self):
if self.audit:
raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
if self.deny:
raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
if self.allow_keyword:
raise AppArmorBug('Attempt to initialize %s with allow keyword' % self.__class__.__name__)
class BaseRuleset: class BaseRuleset:
"""Base class to handle and store a collection of rules""" """Base class to handle and store a collection of rules"""

7
utils/apparmor/rule/alias.py
View File

@ -32,11 +32,8 @@ class AliasRule(BaseRule):
super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
comment=comment, log_event=log_event) comment=comment, log_event=log_event)
# aliases don't support audit or deny # aliases don't support allow keyword, audit or deny
if audit: self.ensure_modifiers_not_supported()
raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
if deny:
raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
if not isinstance(orig_path, str): if not isinstance(orig_path, str):
raise AppArmorBug('Passed unknown type for orig_path to %s: %s' % (self.__class__.__name__, orig_path)) raise AppArmorBug('Passed unknown type for orig_path to %s: %s' % (self.__class__.__name__, orig_path))

7
utils/apparmor/rule/boolean.py
View File

@ -33,11 +33,8 @@ class BooleanRule(BaseRule):
super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
comment=comment, log_event=log_event) comment=comment, log_event=log_event)
# boolean variables don't support audit or deny # boolean variables don't support allow keyword, audit or deny
if audit: self.ensure_modifiers_not_supported()
raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
if deny:
raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
if not isinstance(varname, str): if not isinstance(varname, str):
raise AppArmorBug('Passed unknown type for boolean variable to %s: %s' % (self.__class__.__name__, varname)) raise AppArmorBug('Passed unknown type for boolean variable to %s: %s' % (self.__class__.__name__, varname))

7
utils/apparmor/rule/include.py
View File

@ -33,11 +33,8 @@ class IncludeRule(BaseRule):
super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
comment=comment, log_event=log_event) comment=comment, log_event=log_event)
# include doesn't support audit or deny # include doesn't support allow keyword, audit or deny
if audit: self.ensure_modifiers_not_supported()
raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
if deny:
raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
if not isinstance(ifexists, bool): if not isinstance(ifexists, bool):
raise AppArmorBug('Passed unknown type for ifexists to %s: %s' % (self.__class__.__name__, ifexists)) raise AppArmorBug('Passed unknown type for ifexists to %s: %s' % (self.__class__.__name__, ifexists))

4
utils/apparmor/rule/rlimit.py
View File

@ -54,8 +54,8 @@ class RlimitRule(BaseRule):
super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
comment=comment, log_event=log_event) comment=comment, log_event=log_event)
if audit or deny or allow_keyword: # rlimit rules don't support allow keyword, audit or deny
raise AppArmorBug('The audit, allow or deny keywords are not allowed in rlimit rules.') self.ensure_modifiers_not_supported()
if isinstance(rlimit, str): if isinstance(rlimit, str):
if rlimit in rlimit_all: if rlimit in rlimit_all:

7
utils/apparmor/rule/variable.py
View File

@ -35,11 +35,8 @@ class VariableRule(BaseRule):
super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
comment=comment, log_event=log_event) comment=comment, log_event=log_event)
# variables don't support audit or deny # variables don't support allow keyword, audit or deny
if audit: self.ensure_modifiers_not_supported()
raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
if deny:
raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
if not isinstance(varname, str): if not isinstance(varname, str):
raise AppArmorBug('Passed unknown type for varname to %s: %s' % (self.__class__.__name__, varname)) raise AppArmorBug('Passed unknown type for varname to %s: %s' % (self.__class__.__name__, varname))