mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-02 07:15:18 +00:00
Get rid of is_covered_aare_compat()
This function was introduced as a temporary (ahem...) solution in
95404bb2f3 but was never really correct.
It checked against other_value.regex (as a string!) and, while this was
somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules
than having a wrong match in is_covered() and miss to add/keep a rule
that would be needed.
The perfect solution would be to really compare one AARE against the
other as the parser does. I'm not too keen to implement this in python,
and will wait until someone provides this function (which the parser
already has) via libapparmor ;-)
This commit is contained in:
Christian Boltz
@@ -416,9 +416,9 @@ class SignalCoveredTest_08(SignalCoveredTest):
|
||||
('signal,' , [ False , False , False , False ]),
|
||||
('signal send,' , [ False , False , False , False ]),
|
||||
('signal send peer=/foo/bar,' , [ False , False , True , True ]),
|
||||
('signal send peer=/foo/*,' , [ False , False , True , True ]),
|
||||
('signal send peer=/**,' , [ False , False , True , True ]),
|
||||
('signal send peer=/what/*,' , [ False , False , True , True ]),
|
||||
('signal send peer=/foo/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
|
||||
('signal send peer=/**,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
|
||||
('signal send peer=/what/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
|
||||
('signal peer=/foo/bar,' , [ False , False , False , False ]),
|
||||
('signal send, # comment' , [ False , False , False , False ]),
|
||||
('allow signal send,' , [ False , False , False , False ]),
|
||||
|
||||
Reference in New Issue
Block a user