[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: [apparmor] [patch] NetworkRule: allow TYPE without DOMAIN
From: Christian Boltz <apparmor () cboltz ! de>
Date: 2015-06-25 20:41:15
Message-ID: 11044826.qKXHgMr9kd () tux ! boltz ! de ! vu
[Download RAW message or body]
Hello,
thanks to a bug in the apparmor.d manpage, NetworkRule rejected rules
that contained only TYPE (for example "network stream,"). A bugreport on
IRC and some testing with the parser showed that this is actually
allowed, so NetworkRule should of course allow it.
Note: not strip()ing rule_details is the easiest way to ensure we have
whitespace in front of the TYPE in TYPE-only rules, which is needed by
the RE_NETWORK_DETAILS regex.
Also adjust the tests to the correct behaviour.
[ 57-adjust-NetworkRule-to-fixed-manpage.diff ]
=== modified file utils/apparmor/rule/network.py
--- utils/apparmor/rule/network.py 2015-06-06 14:53:16.868029000 +0200
+++ utils/apparmor/rule/network.py 2015-06-25 22:29:49.664997088 +0200
@@ -39,12 +39,10 @@
RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')'
RE_NETWORK_DETAILS = re.compile(
- '^\s*(' +
- '(?P<domain>' + RE_NETWORK_DOMAIN + ')' + # domain and ...
- '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + \
RE_NETWORK_PROTOCOL + '))?' + # ... optional type or protocol
- '|' + # or
- '(?P<protocol>' + RE_NETWORK_PROTOCOL + ')' + # protocol only
- ')\s*$')
+ '^\s*' +
+ '(?P<domain>' + RE_NETWORK_DOMAIN + ')?' + # optional domain
+ '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + \
'))?' + # optional type or protocol + '\s*$')
class NetworkRule(BaseRule):
@@ -60,10 +58,6 @@
def __init__(self, domain, type_or_protocol, audit=False, deny=False, \
allow_keyword=False, comment='', log_event=None):
- '''
- NETWORK RULE = 'network' [ [ DOMAIN [ TYPE | PROTOCOL ] ] | [ PROTOCOL ] \
] ','
- '''
-
super(NetworkRule, self).__init__(audit=audit, deny=deny,
allow_keyword=allow_keyword,
comment=comment,
@@ -89,8 +83,6 @@
if type_or_protocol in network_protocol_keywords:
self.type_or_protocol = type_or_protocol
elif type_or_protocol in network_type_keywords:
- if self.all_domains:
- raise AppArmorException('Passing type %s to NetworkRule without \
specifying a domain keyword is not allowed' % type_or_protocol) \
self.type_or_protocol = type_or_protocol else:
raise AppArmorBug('Passed unknown type_or_protocol to NetworkRule: \
%s' % type_or_protocol) @@ -113,7 +105,7 @@
rule_details = ''
if matches.group('details'):
- rule_details = matches.group('details').strip()
+ rule_details = matches.group('details')
if rule_details:
details = RE_NETWORK_DETAILS.search(rule_details)
@@ -127,8 +119,6 @@
if details.group('type_or_protocol'):
type_or_protocol = details.group('type_or_protocol')
- elif details.group('protocol'):
- type_or_protocol = details.group('protocol')
else:
type_or_protocol = NetworkRule.ALL
else:
=== modified file utils/test/test-network.py
--- utils/test/test-network.py 2015-06-06 14:53:16.868029000 +0200
+++ utils/test/test-network.py 2015-06-25 22:29:15.648987500 +0200
@@ -48,6 +48,7 @@
('network inet stream,' , exp(False, False, False, '' \
, 'inet', False, 'stream' , False)),
('deny network inet stream, # comment' , exp(False, False, True , ' # \
comment' , 'inet', False, 'stream' , False)),
('audit allow network tcp,' , exp(True , True , False, '' \
, None , True , 'tcp' , False)), + ('network stream,' \
, exp(False, False, False, '' , None , True , 'stream' , False)), ]
def _run_test(self, rawrule, expected):
@@ -58,7 +59,6 @@
class NetworkTestParseInvalid(NetworkTest):
tests = [
- ('network stream,' , AppArmorException), # domain missing
('network foo,' , AppArmorException),
('network foo bar,' , AppArmorException),
('network foo tcp,' , AppArmorException),
@@ -118,6 +118,7 @@
(NetworkRule('inet', NetworkRule.ALL) , exp(False, False, False, \
'' , 'inet', False, None , True )),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL) , exp(False, False, False, \
'' , None , True , None , True )),
(NetworkRule(NetworkRule.ALL, 'tcp') , exp(False, False, False, \
'' , None , True , 'tcp' , False)), + \
(NetworkRule(NetworkRule.ALL, 'stream') , exp(False, False, False, '' \
, None , True , 'stream' , False)), ]
def _run_test(self, obj, expected):
@@ -137,7 +138,6 @@
([None , 'tcp' ] , AppArmorBug), # wrong type for domain
(['inet', dict() ] , AppArmorBug), # wrong type for \
type_or_protocol
(['inet', None ] , AppArmorBug), # wrong type for \
type_or_protocol
- ([NetworkRule.ALL, 'stream'] , AppArmorException), # stream requires a \
domain ]
def _run_test(self, params, expected):
Regards,
Christian Boltz
--
[von KDE 3.0.0 auf 3.0.1 updaten]
> Wenn KDE 3.0.0 noch immer startet wurde 3.0.1 nicht richtig
> installiert würde ich mal behaupten :)
newer version, bla bla. Aber eben nicht bei "base"
naja. Ich habe nun gemerkt, daß es garnicht installiert wurde. [...]
Ich DAKU (dümmster anzunehmender KDE Updater)
[> Matthias Hentges und Stefan Onken in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic