utils: add allow keyword to list of unsupported modifiers

Some classes don't support modifiers like audit and deny. Only rlimit has been checking for the allow keyword, but the others shouldn't support it as well. Since they all do the same check, refactor them into a method from BaseRule in case more modifiers are added. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit 3389230437570a47927d87c82902c37f63c41c45) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 18:17:09 +00:00 · 2025-04-21 17:32:24 -03:00 · 2025-04-21 17:32:24 -03:00 · ab44dddba9
commit ab44dddba9
parent 3d14d51253
6 changed files with 18 additions and 22 deletions
--- a/utils/apparmor/rule/init.py
+++ b/utils/apparmor/rule/init.py
@ -334,6 +334,14 @@ class BaseRule(metaclass=ABCMeta):

        return '%s%s' % (auditstr, allowstr)

+    def ensure_modifiers_not_supported(self):
+        if self.audit:
+            raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
+        if self.deny:
+            raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
+        if self.allow_keyword:
+            raise AppArmorBug('Attempt to initialize %s with allow keyword' % self.__class__.__name__)
+

 class BaseRuleset:
    """Base class to handle and store a collection of rules"""
--- a/utils/apparmor/rule/alias.py
+++ b/utils/apparmor/rule/alias.py
@ -32,11 +32,8 @@ class AliasRule(BaseRule):
        super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
                         comment=comment, log_event=log_event)

-        # aliases don't support audit or deny
-        if audit:
-            raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
-        if deny:
-            raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
+        # aliases don't support allow keyword, audit or deny
+        self.ensure_modifiers_not_supported()

        if not isinstance(orig_path, str):
            raise AppArmorBug('Passed unknown type for orig_path to %s: %s' % (self.__class__.__name__, orig_path))
--- a/utils/apparmor/rule/boolean.py
+++ b/utils/apparmor/rule/boolean.py
@ -33,11 +33,8 @@ class BooleanRule(BaseRule):
        super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
                         comment=comment, log_event=log_event)

-        # boolean variables don't support audit or deny
-        if audit:
-            raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
-        if deny:
-            raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
+        # boolean variables don't support allow keyword, audit or deny
+        self.ensure_modifiers_not_supported()

        if not isinstance(varname, str):
            raise AppArmorBug('Passed unknown type for boolean variable to %s: %s' % (self.__class__.__name__, varname))
--- a/utils/apparmor/rule/include.py
+++ b/utils/apparmor/rule/include.py
@ -33,11 +33,8 @@ class IncludeRule(BaseRule):
        super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
                         comment=comment, log_event=log_event)

-        # include doesn't support audit or deny
-        if audit:
-            raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
-        if deny:
-            raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
+        # include doesn't support allow keyword, audit or deny
+        self.ensure_modifiers_not_supported()

        if not isinstance(ifexists, bool):
            raise AppArmorBug('Passed unknown type for ifexists to %s: %s' % (self.__class__.__name__, ifexists))
--- a/utils/apparmor/rule/rlimit.py
+++ b/utils/apparmor/rule/rlimit.py
@ -54,8 +54,8 @@ class RlimitRule(BaseRule):
        super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
                         comment=comment, log_event=log_event)

-        if audit or deny or allow_keyword:
-            raise AppArmorBug('The audit, allow or deny keywords are not allowed in rlimit rules.')
+        # rlimit rules don't support allow keyword, audit or deny
+        self.ensure_modifiers_not_supported()

        if isinstance(rlimit, str):
            if rlimit in rlimit_all:
--- a/utils/apparmor/rule/variable.py
+++ b/utils/apparmor/rule/variable.py
@ -35,11 +35,8 @@ class VariableRule(BaseRule):
        super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
                         comment=comment, log_event=log_event)

-        # variables don't support audit or deny
-        if audit:
-            raise AppArmorBug('Attempt to initialize %s with audit flag' % self.__class__.__name__)
-        if deny:
-            raise AppArmorBug('Attempt to initialize %s with deny flag' % self.__class__.__name__)
+        # variables don't support allow keyword, audit or deny
+        self.ensure_modifiers_not_supported()

        if not isinstance(varname, str):
            raise AppArmorBug('Passed unknown type for varname to %s: %s' % (self.__class__.__name__, varname))