Hello, $subject.
This is the correct way of doing AARE matches. However, this check is
more strict when matching against an AARE containing wildcards etc.
(which can "by luck" match when doing str matching)
To avoid breaking DbusRule, PtraceRule and SignalRule (especially their
tests), introduce _is_covered_aare_compat() which keeps the previous
behaviour of doing str matching, and use it in these classes.
On the long term, _is_covered_aare_compat() needs to go away, but doing
the changes needed in DbusRule, PtraceRule and SignalRule (or ideally
just in AARE) are out of scope for the FileRule patch series.
[ 29-aare-covered-regex.diff ]
=== modified file ./utils/apparmor/rule/dbus.py
--- utils/apparmor/rule/dbus.py 2016-07-31 13:01:49.542023966 +0200
+++ utils/apparmor/rule/dbus.py 2016-07-31 16:22:39.917905098 +0200
@@ -238,25 +238,25 @@
if not self._is_covered_list(self.access, self.all_access,
other_rule.access, other_rule.all_access, 'access'):
return False
- if not self._is_covered_aare(self.bus, self.all_buses,
other_rule.bus, other_rule.all_buses, 'bus'):
+ if not self._is_covered_aare_compat(self.bus, self.all_buses,
other_rule.bus, other_rule.all_buses, 'bus'):
return False
- if not self._is_covered_aare(self.path, self.all_paths,
other_rule.path, other_rule.all_paths, 'path'):
+ if not self._is_covered_aare_compat(self.path, self.all_paths,
other_rule.path, other_rule.all_paths, 'path'):
return False
- if not self._is_covered_aare(self.name, self.all_names,
other_rule.name, other_rule.all_names, 'name'):
+ if not self._is_covered_aare_compat(self.name, self.all_names,
other_rule.name, other_rule.all_names, 'name'):
return False
- if not self._is_covered_aare(self.interface, self.all_interfaces,
other_rule.interface, other_rule.all_interfaces, 'interface'):
+ if not self._is_covered_aare_compat(self.interface,
self.all_interfaces, other_rule.interface, other_rule.all_interfaces,
'interface'):
return False
- if not self._is_covered_aare(self.member, self.all_members,
other_rule.member, other_rule.all_members, 'member'):
+ if not self._is_covered_aare_compat(self.member, self.all_members,
other_rule.member, other_rule.all_members, 'member'):
return False
- if not self._is_covered_aare(self.peername, self.all_peernames,
other_rule.peername, other_rule.all_peernames, 'peername'):
+ if not self._is_covered_aare_compat(self.peername, self.all_peernames,
other_rule.peername, other_rule.all_peernames, 'peername'):
return False
- if not self._is_covered_aare(self.peerlabel, self.all_peerlabels,
other_rule.peerlabel, other_rule.all_peerlabels, 'peerlabel'):
+ if not self._is_covered_aare_compat(self.peerlabel,
self.all_peerlabels, other_rule.peerlabel, other_rule.all_peerlabels,
'peerlabel'):
return False
# still here? -> then it is covered
=== modified file ./utils/apparmor/rule/__init__.py
--- utils/apparmor/rule/__init__.py 2016-07-31 13:01:49.566023847 +0200
+++ utils/apparmor/rule/__init__.py 2016-07-31 16:21:44.830177931 +0200
@@ -189,6 +189,15 @@
# still here? -> then it is covered
return True
+ def _is_covered_aare_compat(self, self_value, self_all, other_value,
other_all, cond_name):
+ '''check if other_* is covered by self_* - for AARE
+ Note: this function checks against other_value.regex, which is not
really correct, but avoids overly strict results when matching one regex
against another
+ '''
+ if type(other_value) == AARE:
+ other_value = other_value.regex
+
+ return self._is_covered_aare(self_value, self_all, other_value,
other_all, cond_name)
+
def _is_covered_aare(self, self_value, self_all, other_value, other_all,
cond_name):
'''check if other_* is covered by self_* - for AARE'''
@@ -198,7 +207,7 @@
if not self_all:
if other_all:
return False
- if not self_value.match(other_value.regex): # XXX should check
against other_value (without .regex) - but that gives different (more strict)
results
+ if not self_value.match(other_value):
return False
# still here? -> then it is covered
=== modified file ./utils/apparmor/rule/ptrace.py
--- utils/apparmor/rule/ptrace.py 2016-07-31 13:01:49.542023966 +0200
+++ utils/apparmor/rule/ptrace.py 2016-07-31 16:17:18.483496716 +0200
@@ -138,7 +138,7 @@
if not self._is_covered_list(self.access, self.all_access,
other_rule.access, other_rule.all_access, 'access'):
return False
- if not self._is_covered_aare(self.peer, self.all_peers,
other_rule.peer, other_rule.all_peers, 'peer'):
+ if not self._is_covered_aare_compat(self.peer, self.all_peers,
other_rule.peer, other_rule.all_peers, 'peer'):
return False
# still here? -> then it is covered
=== modified file ./utils/apparmor/rule/signal.py
--- utils/apparmor/rule/signal.py 2016-07-31 13:01:49.542023966 +0200
+++ utils/apparmor/rule/signal.py 2016-07-31 16:22:59.709807069 +0200
@@ -188,7 +188,7 @@
if not self._is_covered_list(self.signal, self.all_signals,
other_rule.signal, other_rule.all_signals, 'signal'):
return False
- if not self._is_covered_aare(self.peer, self.all_peers,
other_rule.peer, other_rule.all_peers, 'peer'):
+ if not self._is_covered_aare_compat(self.peer, self.all_peers,
other_rule.peer, other_rule.all_peers, 'peer'):
return False
# still here? -> then it is covered
Regards,
Christian Boltz
--
chliEßlichle sendi emeiSt Enleut ehier mehralsdreIpo Stingsa Mtag sOd
Asesdoch et. Waserm üdentwärdenkahnimmerrattentsumÜßenw aßIrge
nDeinezUs Ahmäst ell unkvonbU chst, abensagenw iel ;-)
[Tilman Ahr in dcoulm zum Thema "Rechtschreibfehler stoeren doch nicht"]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
