[apparmor] [patch 5/6] rewrite apparmor.vim generation and integrate into build

John Johansen john.johansen at canonical.com
Thu Mar 22 18:53:30 UTC 2012 

On 03/22/2012 10:06 AM, Steve Beattie wrote:
> This patch replaces the apparmor.vim generating script with a python
> version that eliminates the need for using the replace tool from the
> mysql-server package. It makes use of the automatically generated
> lists of capabilities and network protocols provided by the build
> infrastructure. I did not capture all the notes and TODOs that
> Christian had in the shell script; I can do so if desired.
> 
> It also hooks the generation of the apparmor.vim file into the utils/
> build and clean stages.
> 
> [Note: the patch doesn't reflect the deletion of the script or the
>  apparmor.vim file in the utils/ directory as handling deletions in
>  quilt is problematic. But it's intended that the actual commits into
>  bzr will also remove these files.]
> 
So I am good with this (tentative Ack) but I want to hear from Christian first.


> ---
>  utils/Makefile                   |    2 
>  utils/vim/Makefile               |   17 +++++-
>  utils/vim/create-apparmor.vim.py |  108 +++++++++++++++++++++++++++++++++++++++
>  3 files changed, 125 insertions(+), 2 deletions(-)
> 
> Index: b/utils/Makefile
> ===================================================================
> --- a/utils/Makefile
> +++ b/utils/Makefile
> @@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5
>  
>  all: ${MANPAGES} ${HTMLMANPAGES}
>  	$(MAKE) -C po all
> +	$(MAKE) -C vim all
>  
>  # need some better way of determining this
>  DESTDIR=/
> @@ -67,6 +68,7 @@ clean: _clean
>  	rm -f core core.* *.o *.s *.a *~
>  	rm -f Make.rules
>  	$(MAKE) -C po clean
> +	$(MAKE) -C vim clean
>  
>  # ${CAPABILITIES} is defined in common/Make.rules
>  .PHONY: check_severity_db
> Index: b/utils/vim/Makefile
> ===================================================================
> --- a/utils/vim/Makefile
> +++ b/utils/vim/Makefile
> @@ -1,5 +1,18 @@
> -apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh
> -	sh create-apparmor.vim.sh
> +COMMONDIR=../../common/
> +
> +all:
> +include common/Make.rules
> +
> +COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
> +ifeq ($(COMMONDIR_EXISTS), true)
> +common/Make.rules: $(COMMONDIR)/Make.rules
> +	ln -sf $(COMMONDIR) .
> +endif
> +
> +all: apparmor.vim
> +
> +apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
> +	python create-apparmor.vim.py > $@
>  
>  clean:
>  	rm -f apparmor.vim
> Index: b/utils/vim/create-apparmor.vim.py
> ===================================================================
> --- /dev/null
> +++ b/utils/vim/create-apparmor.vim.py
> @@ -0,0 +1,108 @@
> +#!/usr/bin/python
> +#
> +#    Copyright (C) 2012 Canonical Ltd.
> +#
> +#    This program is free software; you can redistribute it and/or
> +#    modify it under the terms of version 2 of the GNU General Public
> +#    License published by the Free Software Foundation.
> +#
> +#    Written by Steve Beattie <steve at nxnw.org>, based on work by
> +#    Christian Boltz <apparmor at cboltz.de>
> +
> +import os
> +import re
> +import subprocess
> +import sys
> +
> +# dangerous capabilities
> +danger_caps=["audit_control",
> +             "audit_write",
> +             "mac_override",
> +             "mac_admin",
> +             "set_fcap",
> +             "sys_admin",
> +             "sys_module",
> +             "sys_rawio"]
> +
> +aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
> +
> +aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)'
> +
> +def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
> +    '''Try to execute given command (array) and return its stdout, or
> +    return a textual error if it failed.'''
> +
> +    try:
> +        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
> +    except OSError, e:
> +        return [127, str(e)]
> +
> +    out, outerr = sp.communicate(input)
> +
> +    # Handle redirection of stdout
> +    if out == None:
> +        out = ''
> +    # Handle redirection of stderr
> +    if outerr == None:
> +        outerr = ''
> +    return [sp.returncode,out+outerr]
> +
> +# get capabilities list
> +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
> +if rc != 0:
> +    print >>sys.stderr, ("make list_capabilities failed: " + output)
> +    exit(rc)
> +
> +capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
> +benign_caps =[]
> +for cap in capabilities:
> +    if cap not in danger_caps:
> +        benign_caps.append(cap)
> +
> +# get network protos list
> +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
> +if rc != 0:
> +    print >>sys.stderr, ("make list_af_names failed: " + output)
> +    exit(rc)
> +
> +af_names = []
> +af_pairs = re.sub('AF_', '', output.strip()).lower().split(",")
> +for af_pair in af_pairs:
> +    af_name = af_pair.lstrip().split(" ")[0]
> +    # skip max af name definition
> +    if len(af_name) > 0 and af_name != "max":
> +        af_names.append(af_name)
> +
> +# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey,
> +# but not in aa_flags...
> +# -> currently (2011-01-11) not, but might come back
> +
> +aa_regex_map = {
> +    'FILE':             r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+',
> +    'DENYFILE':         r'\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+',
> +    'auditdenyowner':   r'(audit\s+)?(deny\s+)?(owner\s+)?',
> +    'auditdeny':        r'(audit\s+)?(deny\s+)?',
> +    'FILENAME':         r'(\/|\@\{\S*\})\S*',
> +    'EOL':              r'\s*,(\s*$|(\s*#.*$)\@=)',
> +    'TRANSITION':       r'(\s+-\>\s+\S+)?',
> +    'sdKapKey':         " ".join(benign_caps),
> +    'sdKapKeyDanger':   " ".join(danger_caps),
> +    'sdKapKeyRegex':    "|".join(capabilities),
> +    'sdNetworkType':    aa_network_types,
> +    'sdNetworkProto':   "|".join(af_names),
> +    'flags':            r'((flags\s*\=\s*)?\(\s*' + aa_flags + r'(\s*,\s*' + aa_flags + r')*\s*\)\s+)',
> +}
> +
> +def my_repl(matchobj):
> +    #print matchobj.group(1)
> +    if matchobj.group(1) in aa_regex_map:
> +        return aa_regex_map[matchobj.group(1)]
> +
> +    return matchobj.group(0)
> +
> +regex = "@@(" + "|".join(aa_regex_map) + ")@@"
> +
> +with file("apparmor.vim.in") as template:
> +    for line in template:
> +        line = re.sub(regex, my_repl, line.rstrip())
> +        print line
> 
> 
> -- AppArmor mailing list AppArmor at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>

More information about the AppArmor mailing list