mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 22:05:27 +00:00
Code Issues Releases Wiki Activity

aamode.py - fix LOG_MODE_RE

Browse Source 
LOG_MODE_RE (used in validate_log_mode() in aamode.py) just checked if
the given parameter contains one of the possible matches. This resulted
in "invalid" being a valid log mode (from audit.log requested_mask or
denied_mask) because it contains 'a', which is a valid file mode.

This patch wraps the regex into   ^(...)+$   to make sure the full
string contains only allowed file modes.

The patch also adds some tests for validate_log_mode().


Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz
2014-12-01 22:49:54 +01:00
parent 8346ef0f77
commit d82e9a3bec
2 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
utils/apparmor/aamode.py
View File

@@ -68,7 +68,7 @@ MODE_HASH = {'x': AA_MAY_EXEC, 'X': AA_MAY_EXEC,
'N': AA_EXEC_NT
}
LOG_MODE_RE = re.compile('(r|w|l|m|k|a|x|ix|ux|px|pux|cx|nx|pix|cix|Ux|Px|PUx|Cx|Nx|Pix|Cix)')
LOG_MODE_RE = re.compile('^(r|w|l|m|k|a|x|ix|ux|px|pux|cx|nx|pix|cix|Ux|Px|PUx|Cx|Nx|Pix|Cix)+$')
MODE_MAP_SET = {"r", "w", "l", "m", "k", "a", "x", "i", "u", "p", "c", "n", "I", "U", "P", "C", "N"}
def str_to_mode(string):

20
utils/test/test-aamode.py
View File

@@ -11,7 +11,7 @@
import unittest
from apparmor.aamode import split_log_mode, sub_str_to_mode
from apparmor.aamode import split_log_mode, sub_str_to_mode, validate_log_mode
from apparmor.common import AppArmorBug
class AamodeTest_split_log_mode(unittest.TestCase):
@@ -51,6 +51,24 @@ class AamodeTest_sub_str_to_mode(unittest.TestCase):
def test_sub_str_to_mode_dupes(self):
self.assertEqual(sub_str_to_mode('rwrwrw'), {'r', 'w'})
class AamodeTest_validate_log_mode(unittest.TestCase):
def test_validate_log_mode_1(self):
self.assertTrue(validate_log_mode('a'))
def test_validate_log_mode_2(self):
self.assertTrue(validate_log_mode('rw'))
def test_validate_log_mode_3(self):
self.assertTrue(validate_log_mode('Pixrw'))
def test_validate_log_mode_4(self):
self.assertTrue(validate_log_mode('rrrr'))
def test_validate_log_mode_invalid_1(self):
self.assertFalse(validate_log_mode('c')) # 'c' (create) must be converted to 'a' before calling validate_log_mode()
def test_validate_log_mode_invalid_2(self):
self.assertFalse(validate_log_mode('R')) # only lowercase 'r' is valid
def test_validate_log_mode_invalid_3(self):
self.assertFalse(validate_log_mode('foo'))
def test_validate_log_mode_invalid_4(self):
self.assertFalse(validate_log_mode(''))
if __name__ == '__main__':
unittest.main(verbosity=2)