[apparmor] create-apparmor.vim.py - create_file_rule

Christian Boltz apparmor at cboltz.de
Wed May 9 21:20:51 UTC 2012 

Hallo,

as mentioned in the UDS chat, I'd like to have a create_file_rule 
function in create-apparmor.vim.py.

Unfortunately Python is not one of the P* languages I "speak", which 
means I can't implement this myself :-( or at least I'd need more time
for reading a "python for beginners" tutorial than for writhing code ;-)


Details:

Currently we have lines like this in apparmor.vim.in:

" read entry + locking, currently no highlighting
syn match  sdEntryK /@@FILE@@[rlk]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" read entry, no highlighting
syn match  sdEntryR /@@FILE@@[rl]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

As you can see, those lines are very similar except
- the comment
- the highlighting keyword (sdEntryK / sdEntryR)
- the permission regex


I'd like to have a function create_file_rule in create-apparmor.vim.py 
that I could call like this:

    create_file_rule ( 'sdEntryK', '[rlk]+', 'read entry + locking, currently no highlighting' )
    create_file_rule ( 'sdEntryR', '[rl]+', 'read entry, no highlighting' )

The function would look like that (pseudocode, ".=" means to append text
to a variable)

    function create_file_rule ( $highlighting, $permissions, $comment, $denyrule = 0 ) {

        if ($denyrule == 0) {
            $keywords = '@@auditdenyowner@@'
        } else {
            $keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?'
        }

        $sniplet = ''
        $sniplet .= '" " . $comment . "\n"
        $sniplet .= 'syn match  ' . $highlighting . ' /\v^\s*' . $keywords . '@@FILENAME@@\s' . $permissions . '@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' . "\n"
        $sniplet .= 'syn match  ' . $highlighting . ' /\v^\s*' . $keywords . '"@@FILENAME@@"\s' . $permissions . '@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' . "\n"
        # the last line has quotes around the filename
        # (that's also why I'm using @@FILENAME@@ and not @@FILE@@ here)
        # handling the quotes in a regex (and enforcing that they appear as a pair) would be painful,
        # additionally we have to keep vim's limit of 9  (...)  per rule in mind

        $content_from_apparmor_vim .= $sniplet
    }

$denyrule should be an optional parameter, defaulting to 0 (or false,
whatever you prefer).

The function result should be merged into the content of apparmor.vim.in
(appending should work, no need to insert it in the middle of the file).
This should happen _before_ replacing all the @@WHATEVER@@ parts.


Steve, can you implement this in create-apparmor.vim.py, please?

I can convert the file rules from apparmor.vim.in to function calls when
the function is ready - just implement the two example rules above so that
I see the correct syntax.


Regards,

Christian Boltz
-- 
Maybe you need to turn the chamaeleon (gecko) once more, 90 grades this
time, with a silly grin and a rolling stones tongue coming out. ;-))
[Eberhard Moenkeberg in opensuse]

More information about the AppArmor mailing list