Hello, this patch changes aa.py to use DbusRule and DbusRuleset in profile_storage, parse_profile_data() and write_dbus. This also means we can drop the now unused parse_dbus_rule() and write_dbus_rules() functions.
Raw_DBUS_Rule in rules.py is now also unused and can be dropped. Also shorten the list of known-failing tests in test-parser-simple-tests.py. Even if the list of removals doesn't look too long, the generated_dbus/* removals mean 1989 tests now cause the expected failures. OTOH, I had to add 4 tests to the known-failing list: - 3 tests with a "wrong" order of the conditionals which the parser accepts (which is slightly surprising, because usually we enforce the order of rule parts) - one test fails because the path in the path= conditional doesn't start with / or a variable. Instead, it starts with an alternation, which wouldn't be allowed in file rules. Those 4 failures need more investigation, but shouldn't block this patchset. Finally, adjust test-regex_matches.py to import RE_PROFILE_DBUS from apparmor.regex instead of apparmor.aa. [ 57-use-DbusRule.diff ] === modified file ./utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-12-26 16:23:33.747458693 +0100 +++ utils/apparmor/aa.py 2015-12-26 16:21:15.120440317 +0100 @@ -46,7 +46,7 @@ RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN, RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY, RE_PROFILE_CHANGE_HAT, - RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT, + RE_PROFILE_HAT_DEF, RE_PROFILE_MOUNT, RE_PROFILE_PIVOT_ROOT, RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT, strip_quotes, parse_profile_start_line, re_match_include ) @@ -55,6 +55,7 @@ from apparmor.rule.capability import CapabilityRuleset, CapabilityRule from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule +from apparmor.rule.dbus import DbusRuleset, DbusRule from apparmor.rule.network import NetworkRuleset, NetworkRule from apparmor.rule.ptrace import PtraceRuleset, PtraceRule from apparmor.rule.rlimit import RlimitRuleset, RlimitRule @@ -464,6 +465,7 @@ profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby} profile['capability'] = CapabilityRuleset() + profile['dbus'] = DbusRuleset() profile['change_profile'] = ChangeProfileRuleset() profile['network'] = NetworkRuleset() profile['ptrace'] = PtraceRuleset() @@ -471,7 +473,6 @@ profile['signal'] = SignalRuleset() profile['allow']['path'] = hasher() - profile['allow']['dbus'] = list() profile['allow']['mount'] = list() profile['allow']['pivot_root'] = list() @@ -2908,28 +2909,11 @@ profile_data[profile][hat]['network'].add(NetworkRule.parse(line)) - elif RE_PROFILE_DBUS.search(line): - matches = RE_PROFILE_DBUS.search(line).groups() - + elif DbusRule.match(line): if not profile: raise AppArmorException(_('Syntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)s') % {'file': file, 'line': lineno + 1 }) - audit = False - if matches[0]: - audit = True - allow = 'allow' - if matches[1] and matches[1].strip() == 'deny': - allow = 'deny' - dbus = matches[2] - - #parse_dbus_rule(profile_data[profile], dbus, audit, allow) - dbus_rule = parse_dbus_rule(dbus) - dbus_rule.audit = audit - dbus_rule.deny = (allow == 'deny') - - dbus_rules = profile_data[profile][hat][allow].get('dbus', list()) - dbus_rules.append(dbus_rule) - profile_data[profile][hat][allow]['dbus'] = dbus_rules + profile_data[profile][hat]['dbus'].add(DbusRule.parse(line)) elif RE_PROFILE_MOUNT.search(line): matches = RE_PROFILE_MOUNT.search(line).groups() @@ -3092,18 +3076,6 @@ # RE_DBUS_ENTRY = re.compile('^dbus\s*()?,\s*$') # use stuff like '(?P<action>(send|write|w|receive|read|r|rw))' -def parse_dbus_rule(line): - # XXX Do real parsing here - return aarules.Raw_DBUS_Rule(line) - - #matches = RE_DBUS_ENTRY.search(line).groups() - #if len(matches) == 1: - # XXX warn? - # matched nothing - # print('no matches') - # return aarules.DBUS_Rule() - #print(line) - def parse_mount_rule(line): # XXX Do real parsing here return aarules.Raw_Mount_Rule(line) @@ -3276,22 +3248,10 @@ data = prof_data['network'].get_clean(depth) return data -def write_dbus_rules(prof_data, depth, allow): - pre = ' ' * depth - data = [] - - # no dbus rules, so return - if not prof_data[allow].get('dbus', False): - return data - - for dbus_rule in prof_data[allow]['dbus']: - data.append('%s%s' % (pre, dbus_rule.serialize())) - data.append('') - return data - def write_dbus(prof_data, depth): - data = write_dbus_rules(prof_data, depth, 'deny') - data += write_dbus_rules(prof_data, depth, 'allow') + data = [] + if prof_data.get('dbus', False): + data = prof_data['dbus'].get_clean(depth) return data def write_mount_rules(prof_data, depth, allow): === modified file ./utils/apparmor/rules.py --- utils/apparmor/rules.py 2015-12-26 16:23:33.747458693 +0100 +++ utils/apparmor/rules.py 2015-12-26 15:11:59.149032447 +0100 @@ -29,9 +29,6 @@ print('%sraw rule = %s' % (tabs, self.rule)) -class Raw_DBUS_Rule(_Raw_Rule): - pass - class Raw_Mount_Rule(_Raw_Rule): pass === modified file ./utils/test/test-parser-simple-tests.py --- utils/test/test-parser-simple-tests.py 2015-12-26 16:23:33.751458665 +0100 +++ utils/test/test-parser-simple-tests.py 2015-12-26 14:26:30.415290388 +0100 @@ -25,15 +25,6 @@ # XXX tests listed here will be *** SKIPPED *** XXX skip_startswith = ( - # lots of invalid dbus rules (the tools currently just store them without any parsing) - 'generated_dbus/bad-perms-', - 'generated_dbus/bad-formatting-', - 'generated_dbus/duplicated-conditionals-', - 'generated_dbus/eavesdrop-incompat-', - 'generated_dbus/message-incompat-', - 'generated_dbus/pairing-unsupported-', - 'generated_dbus/service-incompat-', - # the tools don't check for conflicting x permissions (yet?) 'generated_x/conflict-', 'generated_x/ambiguous-', @@ -56,14 +47,6 @@ 'capability/bad_3.sd', 'capability/bad_4.sd', 'change_hat/bad_parsing.sd', - 'dbus/bad_bind_1.sd', - 'dbus/bad_bind_2.sd', - 'dbus/bad_eavesdrop_1.sd', - 'dbus/bad_modifier_1.sd', - 'dbus/bad_modifier_2.sd', - 'dbus/bad_modifier_3.sd', - 'dbus/bad_modifier_4.sd', - 'dbus/bad_peer_1.sd', 'dbus/bad_regex_01.sd', 'dbus/bad_regex_02.sd', 'dbus/bad_regex_03.sd', @@ -173,8 +156,6 @@ 'vars/vars_dbus_bad_01.sd', 'vars/vars_dbus_bad_02.sd', 'vars/vars_dbus_bad_03.sd', - 'vars/vars_dbus_bad_04.sd', - 'vars/vars_dbus_bad_05.sd', 'vars/vars_dbus_bad_06.sd', 'vars/vars_dbus_bad_07.sd', 'vars/vars_file_evaluation_7.sd', @@ -289,7 +270,13 @@ 'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx 'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux + # dbus regex mismatch + 'vars/vars_dbus_4.sd', + 'vars/vars_dbus_9.sd', + 'vars/vars_dbus_2.sd', + # misc + 'vars/vars_dbus_8.sd', # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}} 'vars/vars_simple_assignment_12.sd', # Redefining existing variable @{BAR} ('\' not handled) 'rewrite/alias_good_5.sd', # Values added to a non-existing variable @{FOO} (defined in include, lp:1331856) 'bare_include_tests/ok_2.sd', # two #include<...> in one line === modified file ./utils/test/test-regex_matches.py --- utils/test/test-regex_matches.py 2015-12-26 16:23:33.751458665 +0100 +++ utils/test/test-regex_matches.py 2015-12-26 14:28:33.910453604 +0100 @@ -14,7 +14,8 @@ from common_test import AATest, setup_all_loops from apparmor.common import AppArmorBug, AppArmorException -from apparmor.regex import strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include, RE_PROFILE_START, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL +from apparmor.regex import ( strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include, + RE_PROFILE_START, RE_PROFILE_DBUS, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL ) class AARegexTest(AATest): @@ -256,7 +257,7 @@ '''Tests for RE_PROFILE_DBUS''' def AASetup(self): - self.regex = aa.RE_PROFILE_DBUS + self.regex = RE_PROFILE_DBUS tests = [ (' dbus,', (None, None, 'dbus,', None, None)), Regards, Christian Boltz -- [bugzilla is] being as co-operative as a 2 legged donkey pulling a 10 ton tractor under attack by an army of bees [Richard Brown in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor