def test_parse_modifiers_invalid(self):
        regex = re.compile(
            '^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+|invalid\s+)?')
        matches = regex.search('audit invalid ')

        with self.assertRaises(AppArmorBug):
            parse_modifiers(matches)
示例#2
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return ChangeProfileRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(
                _("Invalid change_profile rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        execmode = matches.group('execmode')

        if matches.group('execcond'):
            execcond = strip_quotes(matches.group('execcond'))
        else:
            execcond = ChangeProfileRule.ALL

        if matches.group('targetprofile'):
            targetprofile = strip_quotes(matches.group('targetprofile'))
        else:
            targetprofile = ChangeProfileRule.ALL

        return ChangeProfileRule(execmode,
                                 execcond,
                                 targetprofile,
                                 audit=audit,
                                 deny=deny,
                                 allow_keyword=allow_keyword,
                                 comment=comment)
示例#3
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return SignalRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid signal rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        rule_details = ''
        if matches.group('details'):
            rule_details = matches.group('details')

        if rule_details:
            details = RE_SIGNAL_DETAILS.search(rule_details)
            if not details:
                raise AppArmorException(
                    _("Invalid or unknown keywords in 'signal %s" %
                      rule_details))

            if details.group('access'):
                access = details.group('access')
                if access.startswith('(') and access.endswith(')'):
                    access = access[1:-1]
                access = access.replace(
                    ',', ' ').split()  # split by ',' or whitespace
            else:
                access = SignalRule.ALL

            if details.group('signal'):
                signal = details.group('signal')
                signal = RE_FILTER_SET_1.sub(r'\1',
                                             signal)  # filter out 'set='
                signal = RE_FILTER_SET_2.sub('', signal)  # filter out 'set='
                signal = RE_FILTER_QUOTES.sub(r' \1 ',
                                              signal)  # filter out quote pairs
                signal = signal.replace(
                    ',', ' ').split()  # split at ',' or whitespace
            else:
                signal = SignalRule.ALL

            if details.group('peer'):
                peer = details.group('peer')
            else:
                peer = SignalRule.ALL
        else:
            access = SignalRule.ALL
            signal = SignalRule.ALL
            peer = SignalRule.ALL

        return SignalRule(access,
                          signal,
                          peer,
                          audit=audit,
                          deny=deny,
                          allow_keyword=allow_keyword,
                          comment=comment)
示例#4
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return PtraceRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid ptrace rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        rule_details = ''
        if matches.group('details'):
            rule_details = matches.group('details')

        if rule_details:
            details = RE_PTRACE_DETAILS.search(rule_details)
            if not details:
                raise AppArmorException(
                    _("Invalid or unknown keywords in 'ptrace %s" %
                      rule_details))

            if details.group('access'):
                # XXX move to function _split_access()?
                access = details.group('access')
                if access.startswith('(') and access.endswith(')'):
                    access = access[1:-1]
                access = access.replace(
                    ',', ' ').split()  # split by ',' or whitespace
            else:
                access = PtraceRule.ALL

            if details.group('peer'):
                peer = strip_quotes(details.group('peer'))
            else:
                peer = PtraceRule.ALL
        else:
            access = PtraceRule.ALL
            peer = PtraceRule.ALL

        return PtraceRule(access,
                          peer,
                          audit=audit,
                          deny=deny,
                          allow_keyword=allow_keyword,
                          comment=comment)
示例#5
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return CapabilityRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid capability rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        capability = []

        if matches.group('capability'):
            capability = matches.group('capability').strip()
            capability = re.split("[ \t]+", capability)
        else:
            capability = CapabilityRule.ALL

        return CapabilityRule(capability, audit=audit, deny=deny,
                              allow_keyword=allow_keyword,
                              comment=comment)
示例#6
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return FileRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid file rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        owner = bool(matches.group('owner'))

        leading_perms = False

        if matches.group('path'):
            path = strip_quotes(matches.group('path'))
        elif matches.group('path2'):
            path = strip_quotes(matches.group('path2'))
            leading_perms = True
        else:
            path = FileRule.ALL

        if matches.group('perms'):
            perms = matches.group('perms')
            perms, exec_perms = split_perms(perms, deny)
        elif matches.group('perms2'):
            perms = matches.group('perms2')
            perms, exec_perms = split_perms(perms, deny)
            leading_perms = True
        else:
            perms = FileRule.ALL
            exec_perms = None

        if matches.group('target'):
            target = strip_quotes(matches.group('target'))
        else:
            target = FileRule.ALL

        file_keyword = bool(matches.group('file_keyword'))

        return FileRule(path, perms, exec_perms, target, owner, file_keyword, leading_perms,
                           audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment)
示例#7
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return ChangeProfileRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid change_profile rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        if matches.group('execcond'):
            execcond = strip_quotes(matches.group('execcond'))
        else:
            execcond = ChangeProfileRule.ALL

        if matches.group('targetprofile'):
            targetprofile = strip_quotes(matches.group('targetprofile'))
        else:
            targetprofile = ChangeProfileRule.ALL

        return ChangeProfileRule(execcond, targetprofile,
                           audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment)
示例#8
0
    def _parse(cls, raw_rule):
        '''parse raw_rule and return NetworkRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid network rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        rule_details = ''
        if matches.group('details'):
            rule_details = matches.group('details')

        if rule_details:
            details = RE_NETWORK_DETAILS.search(rule_details)
            if not details:
                raise AppArmorException(
                    _("Invalid or unknown keywords in 'network %s" %
                      rule_details))

            if details.group('domain'):
                domain = details.group('domain')
            else:
                domain = NetworkRule.ALL

            if details.group('type_or_protocol'):
                type_or_protocol = details.group('type_or_protocol')
            else:
                type_or_protocol = NetworkRule.ALL
        else:
            domain = NetworkRule.ALL
            type_or_protocol = NetworkRule.ALL

        return NetworkRule(domain,
                           type_or_protocol,
                           audit=audit,
                           deny=deny,
                           allow_keyword=allow_keyword,
                           comment=comment)
    def _parse(cls, raw_rule):
        '''parse raw_rule and return CapabilityRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(
                _("Invalid capability rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        capability = []

        if matches.group('capability'):
            capability = matches.group('capability').strip()
            capability = re.split("[ \t]+", capability)
        else:
            capability = CapabilityRule.ALL

        return CapabilityRule(capability,
                              audit=audit,
                              deny=deny,
                              allow_keyword=allow_keyword,
                              comment=comment)
示例#10
0
    def test_parse_modifiers_invalid(self):
        regex = re.compile('^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+|invalid\s+)?')
        matches = regex.search('audit invalid ')

        with self.assertRaises(AppArmorBug):
            parse_modifiers(matches)
示例#11
0
文件: dbus.py 项目: youngker/apparmor
    def _parse(cls, raw_rule):
        '''parse raw_rule and return DbusRule'''

        matches = cls._match(raw_rule)
        if not matches:
            raise AppArmorException(_("Invalid dbus rule '%s'") % raw_rule)

        audit, deny, allow_keyword, comment = parse_modifiers(matches)

        rule_details = ''
        if matches.group('details'):
            rule_details = matches.group('details')

        if rule_details:
            details = RE_DBUS_DETAILS.search(rule_details)
            if not details:
                raise AppArmorException(
                    _("Invalid or unknown keywords in 'dbus %s" %
                      rule_details))

            if details.group('access'):
                # XXX move to function _split_access()?
                access = strip_parenthesis(details.group('access'))
                access = access.replace(
                    ',', ' ').split()  # split by ',' or whitespace
                if access == []:  # XXX that happens for "dbus ( )," rules - correct behaviour? (also: same for signal rules?)
                    access = DbusRule.ALL
            else:
                access = DbusRule.ALL

            if details.group('bus'):
                bus = strip_parenthesis(strip_quotes(details.group('bus')))
            else:
                bus = DbusRule.ALL

            if details.group('path'):
                path = strip_parenthesis(strip_quotes(details.group('path')))
            else:
                path = DbusRule.ALL

            if details.group('name'):
                name = strip_parenthesis(strip_quotes(details.group('name')))
            else:
                name = DbusRule.ALL

            if details.group('interface'):
                interface = strip_parenthesis(
                    strip_quotes(details.group('interface')))
            else:
                interface = DbusRule.ALL

            if details.group('member'):
                member = strip_parenthesis(
                    strip_quotes(details.group('member')))
            else:
                member = DbusRule.ALL

            if details.group('peername1'):
                peername = strip_parenthesis(
                    strip_quotes(details.group('peername1')))
            elif details.group('peername2'):
                peername = strip_parenthesis(
                    strip_quotes(details.group('peername2')))
            elif details.group('peername3'):
                peername = strip_parenthesis(
                    strip_quotes(details.group('peername3')))
            else:
                peername = DbusRule.ALL

            if details.group('peerlabel1'):
                peerlabel = strip_parenthesis(
                    strip_quotes(details.group('peerlabel1')))
            elif details.group('peerlabel2'):
                peerlabel = strip_parenthesis(
                    strip_quotes(details.group('peerlabel2')))
            elif details.group('peerlabel3'):
                peerlabel = strip_parenthesis(
                    strip_quotes(details.group('peerlabel3')))
            else:
                peerlabel = DbusRule.ALL

        else:
            access = DbusRule.ALL
            bus = DbusRule.ALL
            path = DbusRule.ALL
            name = DbusRule.ALL
            interface = DbusRule.ALL
            member = DbusRule.ALL
            peername = DbusRule.ALL
            peerlabel = DbusRule.ALL

        return DbusRule(access,
                        bus,
                        path,
                        name,
                        interface,
                        member,
                        peername,
                        peerlabel,
                        audit=audit,
                        deny=deny,
                        allow_keyword=allow_keyword,
                        comment=comment)