mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-30 22:05:27 +00:00
aamode.py - fix LOG_MODE_RE
LOG_MODE_RE (used in validate_log_mode() in aamode.py) just checked if the given parameter contains one of the possible matches. This resulted in "invalid" being a valid log mode (from audit.log requested_mask or denied_mask) because it contains 'a', which is a valid file mode. This patch wraps the regex into ^(...)+$ to make sure the full string contains only allowed file modes. The patch also adds some tests for validate_log_mode(). Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
@@ -68,7 +68,7 @@ MODE_HASH = {'x': AA_MAY_EXEC, 'X': AA_MAY_EXEC,
|
||||
'N': AA_EXEC_NT
|
||||
}
|
||||
|
||||
LOG_MODE_RE = re.compile('(r|w|l|m|k|a|x|ix|ux|px|pux|cx|nx|pix|cix|Ux|Px|PUx|Cx|Nx|Pix|Cix)')
|
||||
LOG_MODE_RE = re.compile('^(r|w|l|m|k|a|x|ix|ux|px|pux|cx|nx|pix|cix|Ux|Px|PUx|Cx|Nx|Pix|Cix)+$')
|
||||
MODE_MAP_SET = {"r", "w", "l", "m", "k", "a", "x", "i", "u", "p", "c", "n", "I", "U", "P", "C", "N"}
|
||||
|
||||
def str_to_mode(string):
|
||||
|
@@ -11,7 +11,7 @@
|
||||
|
||||
import unittest
|
||||
|
||||
from apparmor.aamode import split_log_mode, sub_str_to_mode
|
||||
from apparmor.aamode import split_log_mode, sub_str_to_mode, validate_log_mode
|
||||
from apparmor.common import AppArmorBug
|
||||
|
||||
class AamodeTest_split_log_mode(unittest.TestCase):
|
||||
@@ -51,6 +51,24 @@ class AamodeTest_sub_str_to_mode(unittest.TestCase):
|
||||
def test_sub_str_to_mode_dupes(self):
|
||||
self.assertEqual(sub_str_to_mode('rwrwrw'), {'r', 'w'})
|
||||
|
||||
class AamodeTest_validate_log_mode(unittest.TestCase):
|
||||
def test_validate_log_mode_1(self):
|
||||
self.assertTrue(validate_log_mode('a'))
|
||||
def test_validate_log_mode_2(self):
|
||||
self.assertTrue(validate_log_mode('rw'))
|
||||
def test_validate_log_mode_3(self):
|
||||
self.assertTrue(validate_log_mode('Pixrw'))
|
||||
def test_validate_log_mode_4(self):
|
||||
self.assertTrue(validate_log_mode('rrrr'))
|
||||
|
||||
def test_validate_log_mode_invalid_1(self):
|
||||
self.assertFalse(validate_log_mode('c')) # 'c' (create) must be converted to 'a' before calling validate_log_mode()
|
||||
def test_validate_log_mode_invalid_2(self):
|
||||
self.assertFalse(validate_log_mode('R')) # only lowercase 'r' is valid
|
||||
def test_validate_log_mode_invalid_3(self):
|
||||
self.assertFalse(validate_log_mode('foo'))
|
||||
def test_validate_log_mode_invalid_4(self):
|
||||
self.assertFalse(validate_log_mode(''))
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main(verbosity=2)
|
||||
|
Reference in New Issue
Block a user