Hello, $subject.
This is the correct way of doing AARE matches. However, this check is more strict when matching against an AARE containing wildcards etc. (which can "by luck" match when doing str matching) To avoid breaking DbusRule, PtraceRule and SignalRule (especially their tests), introduce _is_covered_aare_compat() which keeps the previous behaviour of doing str matching, and use it in these classes. On the long term, _is_covered_aare_compat() needs to go away, but doing the changes needed in DbusRule, PtraceRule and SignalRule (or ideally just in AARE) are out of scope for the FileRule patch series. [ 29-aare-covered-regex.diff ] === modified file ./utils/apparmor/rule/dbus.py --- utils/apparmor/rule/dbus.py 2016-07-31 13:01:49.542023966 +0200 +++ utils/apparmor/rule/dbus.py 2016-07-31 16:22:39.917905098 +0200 @@ -238,25 +238,25 @@ if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): return False - if not self._is_covered_aare(self.bus, self.all_buses, other_rule.bus, other_rule.all_buses, 'bus'): + if not self._is_covered_aare_compat(self.bus, self.all_buses, other_rule.bus, other_rule.all_buses, 'bus'): return False - if not self._is_covered_aare(self.path, self.all_paths, other_rule.path, other_rule.all_paths, 'path'): + if not self._is_covered_aare_compat(self.path, self.all_paths, other_rule.path, other_rule.all_paths, 'path'): return False - if not self._is_covered_aare(self.name, self.all_names, other_rule.name, other_rule.all_names, 'name'): + if not self._is_covered_aare_compat(self.name, self.all_names, other_rule.name, other_rule.all_names, 'name'): return False - if not self._is_covered_aare(self.interface, self.all_interfaces, other_rule.interface, other_rule.all_interfaces, 'interface'): + if not self._is_covered_aare_compat(self.interface, self.all_interfaces, other_rule.interface, other_rule.all_interfaces, 'interface'): return False - if not self._is_covered_aare(self.member, self.all_members, other_rule.member, other_rule.all_members, 'member'): + if not self._is_covered_aare_compat(self.member, self.all_members, other_rule.member, other_rule.all_members, 'member'): return False - if not self._is_covered_aare(self.peername, self.all_peernames, other_rule.peername, other_rule.all_peernames, 'peername'): + if not self._is_covered_aare_compat(self.peername, self.all_peernames, other_rule.peername, other_rule.all_peernames, 'peername'): return False - if not self._is_covered_aare(self.peerlabel, self.all_peerlabels, other_rule.peerlabel, other_rule.all_peerlabels, 'peerlabel'): + if not self._is_covered_aare_compat(self.peerlabel, self.all_peerlabels, other_rule.peerlabel, other_rule.all_peerlabels, 'peerlabel'): return False # still here? -> then it is covered === modified file ./utils/apparmor/rule/__init__.py --- utils/apparmor/rule/__init__.py 2016-07-31 13:01:49.566023847 +0200 +++ utils/apparmor/rule/__init__.py 2016-07-31 16:21:44.830177931 +0200 @@ -189,6 +189,15 @@ # still here? -> then it is covered return True + def _is_covered_aare_compat(self, self_value, self_all, other_value, other_all, cond_name): + '''check if other_* is covered by self_* - for AARE + Note: this function checks against other_value.regex, which is not really correct, but avoids overly strict results when matching one regex against another + ''' + if type(other_value) == AARE: + other_value = other_value.regex + + return self._is_covered_aare(self_value, self_all, other_value, other_all, cond_name) + def _is_covered_aare(self, self_value, self_all, other_value, other_all, cond_name): '''check if other_* is covered by self_* - for AARE''' @@ -198,7 +207,7 @@ if not self_all: if other_all: return False - if not self_value.match(other_value.regex): # XXX should check against other_value (without .regex) - but that gives different (more strict) results + if not self_value.match(other_value): return False # still here? -> then it is covered === modified file ./utils/apparmor/rule/ptrace.py --- utils/apparmor/rule/ptrace.py 2016-07-31 13:01:49.542023966 +0200 +++ utils/apparmor/rule/ptrace.py 2016-07-31 16:17:18.483496716 +0200 @@ -138,7 +138,7 @@ if not self._is_covered_list(self.access, self.all_access, other_rule.access, other_rule.all_access, 'access'): return False - if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): + if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): return False # still here? -> then it is covered === modified file ./utils/apparmor/rule/signal.py --- utils/apparmor/rule/signal.py 2016-07-31 13:01:49.542023966 +0200 +++ utils/apparmor/rule/signal.py 2016-07-31 16:22:59.709807069 +0200 @@ -188,7 +188,7 @@ if not self._is_covered_list(self.signal, self.all_signals, other_rule.signal, other_rule.all_signals, 'signal'): return False - if not self._is_covered_aare(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): + if not self._is_covered_aare_compat(self.peer, self.all_peers, other_rule.peer, other_rule.all_peers, 'peer'): return False # still here? -> then it is covered Regards, Christian Boltz -- chliEßlichle sendi emeiSt Enleut ehier mehralsdreIpo Stingsa Mtag sOd Asesdoch et. Waserm üdentwärdenkahnimmerrattentsumÜßenw aßIrge nDeinezUs Ahmäst ell unkvonbU chst, abensagenw iel ;-) [Tilman Ahr in dcoulm zum Thema "Rechtschreibfehler stoeren doch nicht"]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor