[apparmor] [patch 3/3] use capability rule class in aa.py and cleanprof.py

Christian Boltz apparmor at cboltz.de
Mon Dec 1 18:51:16 UTC 2014 

Hallo Leute,

Am Sonntag, 30. November 2014 schrieb Christian Boltz:
> Let me warn you that your __init__() also has a regression when
> compared with my set_* functions - imagine someone calls it with a
> raw_rule that completely differs from the other parameters, like
> 
>     cap_rule = CapabilityRule("chown", raw_rule="capability,")
> 
> The result of cap_rule.get_raw() will be a very permissive profile ;-)
> but all checks like is_equal() and is_covered() will assume cap_rule
> only allows chown.

As discussed on IRC, this can be solved:

<cboltz> sbeattie: how would you like it if CapabilityRule __init__ allows two different ways to hand over the data?
<cboltz> a) foo = CapabilityRule('chown')   (as in your proposal)
<cboltz> b) foo = CapabilityRule(raw_rule='capability chown,')   (and then parse raw_rule)
<cboltz> it would make __init__ a bit more complex -
<cboltz>     if raw_rule:   
<cboltz>         set values based on parse_capability()
<cboltz>     else:
<cboltz>         do what "your" __init__ does now
<sbeattie> cboltz: I think I could be okay with that; I thought you wanted to avoid doing stuff like that. 
<cboltz> well, I still prefer it over the "external" parse_capability function ;-)
<cboltz> (and it would fix the problem that raw_rule can be completely different from everything else)
<cboltz> will you update your patch, or do you want a patch from me on top of yours? ;-)
* cboltz wonders how many "patch on top of patch" levels we need until it starts to get confusing 
<sbeattie> cboltz: I can do it, but not right this minute, so can you send the request as a followup to your feedback email so I don't lose track of it.
<cboltz> no problem, I'll just paste the IRC log to a mail ;-) 
<sbeattie> awe. some.

For readabiliy, it might be a good idea to keep parse_capability() as a
separate function inside the CapabilityRule class and call it from 
__init__.


Regards,

Christian Boltz
-- 
Also, ich hab mit win3.11 (damals war ich 2 jahre alt) angefangen und
hab dann alle Win-versionen erlebt, bis xp. Das war entgültig zuviel.
Danach war Schluss. Jetzt nur noch SuSE Linux.
[Soeren Wengerowsky in suse-linux]

More information about the AppArmor mailing list