Hello, PtraceRule access and SignalRule access and signal can contain more than one value. Therefore adjust is_covered_localvars() in both to use the list (subset) instead of the plain (exactly equal) check.
Also add a testcase for each to ensure the list/subset check works as expected. [ 41-ptrace-signal-use-list-in-is_covered.diff ] === modified file ./utils/apparmor/rule/ptrace.py --- utils/apparmor/rule/ptrace.py 2015-12-21 00:42:28.521222690 +0100 +++ utils/apparmor/rule/ptrace.py 2015-12-21 00:41:31.129584660 +0100 @@ -135,7 +135,7 @@ def is_covered_localvars(self, other_rule): '''check if other_rule is covered by this rule object''' - if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): + if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): return False if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): === modified file ./utils/apparmor/rule/signal.py --- utils/apparmor/rule/signal.py 2015-12-21 00:42:28.521222690 +0100 +++ utils/apparmor/rule/signal.py 2015-12-21 00:41:31.133584635 +0100 @@ -182,10 +182,10 @@ def is_covered_localvars(self, other_rule): '''check if other_rule is covered by this rule object''' - if not self._is_covered_plain(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): + if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): return False - if not self._is_covered_plain(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'): + if not self._is_covered_list(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'): return False if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): === modified file ./utils/test/test-ptrace.py --- utils/test/test-ptrace.py 2015-12-21 00:13:57.195799666 +0100 +++ utils/test/test-ptrace.py 2015-12-21 16:40:16.584001925 +0100 @@ -380,6 +380,37 @@ ('deny ptrace read,' , [ False , False , False , False ]), ] +class PtraceCoveredTest_08(PtraceCoveredTest): + rule = 'ptrace (trace, tracedby) peer=/foo/*,' + + tests = [ + # rule equal strict equal covered covered exact + ('ptrace,' , [ False , False , False , False ]), + ('ptrace trace,' , [ False , False , False , False ]), + ('ptrace (tracedby, trace),' , [ False , False , False , False ]), + ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace (tracedby trace) peer=/foo/bar,',[ False , False , True , True ]), + ('ptrace (tracedby, trace) peer=/foo/*,', [ True , False , True , True ]), + ('ptrace tracedby peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace trace peer=/foo/*,' , [ False , False , True , True ]), + ('ptrace trace peer=/**,' , [ False , False , False , False ]), + ('ptrace trace peer=/what/*,' , [ False , False , False , False ]), + ('ptrace peer=/foo/bar,' , [ False , False , False , False ]), + ('ptrace trace, # comment' , [ False , False , False , False ]), + ('allow ptrace trace,' , [ False , False , False , False ]), + ('allow ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace trace,' , [ False , False , False , False ]), + ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), + ('ptrace trace peer=/what/ever,' , [ False , False , False , False ]), + ('audit ptrace trace peer=/foo/bar,' , [ False , False , False , False ]), + ('audit ptrace,' , [ False , False , False , False ]), + ('ptrace tracedby,' , [ False , False , False , False ]), + ('audit deny ptrace trace,' , [ False , False , False , False ]), + ('deny ptrace trace,' , [ False , False , False , False ]), + ] + + + class PtraceCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_1(self): obj = PtraceRule.parse('ptrace read peer=/foo,') === modified file ./utils/test/test-signal.py --- utils/test/test-signal.py 2015-12-12 13:34:40.549997194 +0100 +++ utils/test/test-signal.py 2015-12-20 23:47:40.041531733 +0100 @@ -433,6 +433,41 @@ ('deny signal send,' , [ False , False , False , False ]), ] +class SignalCoveredTest_09(SignalCoveredTest): + rule = 'signal (send, receive) set=(int, quit),' + + tests = [ + # rule equal strict equal covered covered exact + ('signal,' , [ False , False , False , False ]), + ('signal send,' , [ False , False , False , False ]), + ('signal send set=int,' , [ False , False , True , True ]), + ('signal receive set=quit,' , [ False , False , True , True ]), + ('signal (receive,send) set=int,' , [ False , False , True , True ]), + ('signal (receive,send) set=(int quit),',[True , False , True , True ]), + ('signal send set=(quit int),' , [ False , False , True , True ]), + ('signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send peer=/foo/*,' , [ False , False , False , False ]), + ('signal send peer=/**,' , [ False , False , False , False ]), + ('signal send peer=/what/*,' , [ False , False , False , False ]), + ('signal peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send, # comment' , [ False , False , False , False ]), + ('allow signal send,' , [ False , False , False , False ]), + ('allow signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send,' , [ False , False , False , False ]), + ('signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('signal send peer=/what/ever,' , [ False , False , False , False ]), + ('signal send set=quit,' , [ False , False , True , True ]), + ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]), + ('audit signal send peer=/foo/bar,' , [ False , False , False , False ]), + ('audit signal,' , [ False , False , False , False ]), + ('signal receive,' , [ False , False , False , False ]), + ('signal set=int,' , [ False , False , False , False ]), + ('audit deny signal send,' , [ False , False , False , False ]), + ('deny signal send,' , [ False , False , False , False ]), + ] + + + class SignalCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_1(self): obj = SignalRule.parse('signal send peer=/foo,') Regards, Christian Boltz -- ist eine recht interessante rechnung: 3,5kg linux + bücher für €79,90 180g windows xp home ohne bücher €229,- kennt jemand den feinunzenpreis von gold? er müßte kanpp unter dem von windows liegen .... [Wilhelm Feichter in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor