mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-01 14:55:10 +00:00
Get rid of is_covered_aare_compat()
This function was introduced as a temporary (ahem...) solution in
95404bb2f3 but was never really correct.
It checked against other_value.regex (as a string!) and, while this was
somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules
than having a wrong match in is_covered() and miss to add/keep a rule
that would be needed.
The perfect solution would be to really compare one AARE against the
other as the parser does. I'm not too keen to implement this in python,
and will wait until someone provides this function (which the parser
already has) via libapparmor ;-)
This commit is contained in:
Christian Boltz
@@ -606,9 +606,9 @@ class DbusCoveredTest_09(DbusCoveredTest):
|
||||
('dbus,' , [ False , False , False , False ]),
|
||||
('dbus send,' , [ False , False , False , False ]),
|
||||
('dbus send member=/foo/bar,' , [ False , False , True , True ]),
|
||||
('dbus send member=/foo/*,' , [ False , False , True , True ]),
|
||||
('dbus send member=/**,' , [ False , False , True , True ]),
|
||||
('dbus send member=/what/*,' , [ False , False , True , True ]),
|
||||
('dbus send member=/foo/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
|
||||
('dbus send member=/**,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
|
||||
('dbus send member=/what/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
|
||||
('dbus member=/foo/bar,' , [ False , False , False , False ]),
|
||||
('dbus send, # comment' , [ False , False , False , False ]),
|
||||
('allow dbus send,' , [ False , False , False , False ]),
|
||||
|
||||
Reference in New Issue
Block a user