def test_parse_modifiers_invalid(self):
regex = re.compile(
'^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+|invalid\s+)?')
matches = regex.search('audit invalid ')
with self.assertRaises(AppArmorBug):
parse_modifiers(matches)
def _parse(cls, raw_rule):
'''parse raw_rule and return ChangeProfileRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(
_("Invalid change_profile rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
execmode = matches.group('execmode')
if matches.group('execcond'):
execcond = strip_quotes(matches.group('execcond'))
else:
execcond = ChangeProfileRule.ALL
if matches.group('targetprofile'):
targetprofile = strip_quotes(matches.group('targetprofile'))
else:
targetprofile = ChangeProfileRule.ALL
return ChangeProfileRule(execmode,
execcond,
targetprofile,
audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return SignalRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid signal rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
rule_details = ''
if matches.group('details'):
rule_details = matches.group('details')
if rule_details:
details = RE_SIGNAL_DETAILS.search(rule_details)
if not details:
raise AppArmorException(
_("Invalid or unknown keywords in 'signal %s" %
rule_details))
if details.group('access'):
access = details.group('access')
if access.startswith('(') and access.endswith(')'):
access = access[1:-1]
access = access.replace(
',', ' ').split() # split by ',' or whitespace
else:
access = SignalRule.ALL
if details.group('signal'):
signal = details.group('signal')
signal = RE_FILTER_SET_1.sub(r'\1',
signal) # filter out 'set='
signal = RE_FILTER_SET_2.sub('', signal) # filter out 'set='
signal = RE_FILTER_QUOTES.sub(r' \1 ',
signal) # filter out quote pairs
signal = signal.replace(
',', ' ').split() # split at ',' or whitespace
else:
signal = SignalRule.ALL
if details.group('peer'):
peer = details.group('peer')
else:
peer = SignalRule.ALL
else:
access = SignalRule.ALL
signal = SignalRule.ALL
peer = SignalRule.ALL
return SignalRule(access,
signal,
peer,
audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return PtraceRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid ptrace rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
rule_details = ''
if matches.group('details'):
rule_details = matches.group('details')
if rule_details:
details = RE_PTRACE_DETAILS.search(rule_details)
if not details:
raise AppArmorException(
_("Invalid or unknown keywords in 'ptrace %s" %
rule_details))
if details.group('access'):
# XXX move to function _split_access()?
access = details.group('access')
if access.startswith('(') and access.endswith(')'):
access = access[1:-1]
access = access.replace(
',', ' ').split() # split by ',' or whitespace
else:
access = PtraceRule.ALL
if details.group('peer'):
peer = strip_quotes(details.group('peer'))
else:
peer = PtraceRule.ALL
else:
access = PtraceRule.ALL
peer = PtraceRule.ALL
return PtraceRule(access,
peer,
audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return CapabilityRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid capability rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
capability = []
if matches.group('capability'):
capability = matches.group('capability').strip()
capability = re.split("[ \t]+", capability)
else:
capability = CapabilityRule.ALL
return CapabilityRule(capability, audit=audit, deny=deny,
allow_keyword=allow_keyword,
comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return FileRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid file rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
owner = bool(matches.group('owner'))
leading_perms = False
if matches.group('path'):
path = strip_quotes(matches.group('path'))
elif matches.group('path2'):
path = strip_quotes(matches.group('path2'))
leading_perms = True
else:
path = FileRule.ALL
if matches.group('perms'):
perms = matches.group('perms')
perms, exec_perms = split_perms(perms, deny)
elif matches.group('perms2'):
perms = matches.group('perms2')
perms, exec_perms = split_perms(perms, deny)
leading_perms = True
else:
perms = FileRule.ALL
exec_perms = None
if matches.group('target'):
target = strip_quotes(matches.group('target'))
else:
target = FileRule.ALL
file_keyword = bool(matches.group('file_keyword'))
return FileRule(path, perms, exec_perms, target, owner, file_keyword, leading_perms,
audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return ChangeProfileRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid change_profile rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
if matches.group('execcond'):
execcond = strip_quotes(matches.group('execcond'))
else:
execcond = ChangeProfileRule.ALL
if matches.group('targetprofile'):
targetprofile = strip_quotes(matches.group('targetprofile'))
else:
targetprofile = ChangeProfileRule.ALL
return ChangeProfileRule(execcond, targetprofile,
audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return NetworkRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid network rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
rule_details = ''
if matches.group('details'):
rule_details = matches.group('details')
if rule_details:
details = RE_NETWORK_DETAILS.search(rule_details)
if not details:
raise AppArmorException(
_("Invalid or unknown keywords in 'network %s" %
rule_details))
if details.group('domain'):
domain = details.group('domain')
else:
domain = NetworkRule.ALL
if details.group('type_or_protocol'):
type_or_protocol = details.group('type_or_protocol')
else:
type_or_protocol = NetworkRule.ALL
else:
domain = NetworkRule.ALL
type_or_protocol = NetworkRule.ALL
return NetworkRule(domain,
type_or_protocol,
audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment)
def _parse(cls, raw_rule):
'''parse raw_rule and return CapabilityRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(
_("Invalid capability rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
capability = []
if matches.group('capability'):
capability = matches.group('capability').strip()
capability = re.split("[ \t]+", capability)
else:
capability = CapabilityRule.ALL
return CapabilityRule(capability,
audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment)
def test_parse_modifiers_invalid(self):
regex = re.compile('^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+|invalid\s+)?')
matches = regex.search('audit invalid ')
with self.assertRaises(AppArmorBug):
parse_modifiers(matches)
def _parse(cls, raw_rule):
'''parse raw_rule and return DbusRule'''
matches = cls._match(raw_rule)
if not matches:
raise AppArmorException(_("Invalid dbus rule '%s'") % raw_rule)
audit, deny, allow_keyword, comment = parse_modifiers(matches)
rule_details = ''
if matches.group('details'):
rule_details = matches.group('details')
if rule_details:
details = RE_DBUS_DETAILS.search(rule_details)
if not details:
raise AppArmorException(
_("Invalid or unknown keywords in 'dbus %s" %
rule_details))
if details.group('access'):
# XXX move to function _split_access()?
access = strip_parenthesis(details.group('access'))
access = access.replace(
',', ' ').split() # split by ',' or whitespace
if access == []: # XXX that happens for "dbus ( )," rules - correct behaviour? (also: same for signal rules?)
access = DbusRule.ALL
else:
access = DbusRule.ALL
if details.group('bus'):
bus = strip_parenthesis(strip_quotes(details.group('bus')))
else:
bus = DbusRule.ALL
if details.group('path'):
path = strip_parenthesis(strip_quotes(details.group('path')))
else:
path = DbusRule.ALL
if details.group('name'):
name = strip_parenthesis(strip_quotes(details.group('name')))
else:
name = DbusRule.ALL
if details.group('interface'):
interface = strip_parenthesis(
strip_quotes(details.group('interface')))
else:
interface = DbusRule.ALL
if details.group('member'):
member = strip_parenthesis(
strip_quotes(details.group('member')))
else:
member = DbusRule.ALL
if details.group('peername1'):
peername = strip_parenthesis(
strip_quotes(details.group('peername1')))
elif details.group('peername2'):
peername = strip_parenthesis(
strip_quotes(details.group('peername2')))
elif details.group('peername3'):
peername = strip_parenthesis(
strip_quotes(details.group('peername3')))
else:
peername = DbusRule.ALL
if details.group('peerlabel1'):
peerlabel = strip_parenthesis(
strip_quotes(details.group('peerlabel1')))
elif details.group('peerlabel2'):
peerlabel = strip_parenthesis(
strip_quotes(details.group('peerlabel2')))
elif details.group('peerlabel3'):
peerlabel = strip_parenthesis(
strip_quotes(details.group('peerlabel3')))
else:
peerlabel = DbusRule.ALL
else:
access = DbusRule.ALL
bus = DbusRule.ALL
path = DbusRule.ALL
name = DbusRule.ALL
interface = DbusRule.ALL
member = DbusRule.ALL
peername = DbusRule.ALL
peerlabel = DbusRule.ALL
return DbusRule(access,
bus,
path,
name,
interface,
member,
peername,
peerlabel,
audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment)