Add a testcase with exec-only permissions (which get ignored by
get_perms_for_path()) to increase FileRule test coverage to 100%.
Acked-by: Steve Beattie <steve@nxnw.org>
As discussed a while ago, switch the utils (including their tests) to
use python3 by default. While on it, drop usage of "env" to always get
the system python3 instead of a random one that happens to live
somewhere in $PATH.
In practise, this patch doesn't change much - AFAIK openSUSE, Debian and
Ubuntu already patch aa-* to use python3.
Also add a note to README to officially deprecate Python 2.x.
(I won't break Python 2.x support intentionally - unless some future
change gives me a very good reason to finally drop Python 2.x support.)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(since 2016-08-23, but the commit had to wait for the FileRule series
because it touches test-file.py)
Adding a rule to *Ruleset means it simply gets added. This also means
that then-superfluous rules will be kept.
This patch adds an optional cleanup flag to add(). If set, rules covered
by the new rule will be deleted. The difference to delete_duplicates()
is that cleanup only deletes rules that are covered by the new rule, but
keeps other, unrelated superfluous rules.
Also return the number of deleted rules to give the UI a chance to
report this number.
Finally, adjust the existing tests for FileRuleset to ensure default
mode (without cleanup) doesn't delete any rules, and add a test using
the cleanup flag.
Acked-by: Steve Beattie <steve@nxnw.org>
get_exec_rules_for_path() returns a FileRuleset with all rules matching
the given path.
get_exec_conflict_rules() returns a FileRuleset with all exec rules that
conflict with the given oldrule. This will be used by aa-mergeprof to
ask the user which rule he wants to keep.
Also add tests for both functions.
Acked-by: Steve Beattie <steve@nxnw.org>
Merge the existing and requested permissions into a nice set of headers
that can be displayed by aa-logprof. This will look like:
Path: /foo
Old Mode: r + owner w
New Mode: rw
Also split off a _join_given_perms() function off _joint_perms() so that
we can use the permission string merging for things not stored in self.*.
Finally add some tests for logprof_header().
Acked-by: Steve Beattie <steve@nxnw.org>
- get_rules_for_path() returns all rules matching the given path
(both exact matches and AARE matches)
- get_perms_for_path() returns the merged permissions for the given
path and a list of paths used in the matching rules
Also add tests for these two functions.
Acked-by: Steve Beattie <steve@nxnw.org>
Also add a rank_path() function to severity.py and change rank() to call
rank_path() for paths.
Long-term goal: get rid of the type "guessing" in rank()
Finally add some tests, mostly based on test-severity.py SeverityTest
Acked-by: Steve Beattie <steve@nxnw.org>
This means adding
- self.can_edit - True if editing via '(N)ew' should be possible (will
be False for bare file rules)
- edit_header() - returns the prompt text and the current path
- validate_edit() - checks if the new path matches the original one
- store_edit() - changes the path to the new one (even if it doesn't
match the old one)
self.can_edit and the 3 functions are also added to BaseRule:
- can_edit is False by default
- the functions raise a NotImplementedError
Also add tests for the added code.
Acked-by: Steve Beattie <steve@nxnw.org>
Add the glob() and glob_ext() functions to FileRule, and set
self.can_glob and self.can_glob_ext. Also add some tests (just enough to
make sure the FileRule integration works - the globbing is handled
inside AARE,and the AARE tests contain more testcases).
Note that the implementation differs from the original plan (which was
to have globbing in *Ruleset). Therefore add can_glob and can_glob_ext
to BaseRule (both default to False), and add a comment to BaseRuleset
that globbing needs to be removed from all *Ruleset classes.
Acked-by: Steve Beattie <steve@nxnw.org>
As discussed, I added a pointer to the test-aare.py globbing tests in
test-file.py.
aa-logprof needs to check if an exec rule for a given path exists.
This patch adds a __FileAnyExec class to FileRule, as well as ANY_EXEC
(which should be used externally, similar to ALL), and adjusts several
checks to allow it as a special execute mode.
This will allow to use is_covered() (or aa.py is_known_rule()) to find
out if execute is permitted, which replaces aa.py profile_known_exec()
in one of the following patches.
As usual, also add some tests.
Acked-by: Steve Beattie <steve@nxnw.org>
Note: as discussed, I adjusted the comment for 'pass' around line 240.
The parser accepts duplicated execute permissions as long as they don't
conflict. For example,
/bin/foo pxpxpxpx,
is a valid rule.
This patch changes FileRule to also accept those duplicated permissions,
even if it's unlikely to hit them outside of the parser tests ;-)
Also add some tests to make sure the parsing works as expected.
Acked-by: Steve Beattie <steve@nxnw.org>
