[apparmor] [PATCH] utils: Basic support for bare capability rules
Christian Boltz
apparmor at cboltz.de
Thu Mar 20 12:32:14 UTC 2014
Hello,
Am Mittwoch, 19. März 2014 schrieb Tyler Hicks:
> Bug: https://bugs.launchpad.net/bugs/1294819
>
> This patch as minimal support for bare capability rules
> ("capability,"). It prevents aa.py from emitting a traceback when
> encountering such a rule.
>
> It only adds the ability to parse and write the bare rule. It doesn't
> attempt to be clever when deleting duplicate rules, such as realizing
> that "capability audit_control," can be deleted if "capability," is
> also present.
Can you please add a TODO note for this to avoid it gets lost?
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
> utils/apparmor/aa.py | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
> index a81b495..19a140c 100644
> --- a/utils/apparmor/aa.py
> +++ b/utils/apparmor/aa.py
> @@ -2599,7 +2602,7 @@ def attach_profile_data(profiles, profile_data):
>+RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|
>deny\s+)?capability\s*(\S+)?\s*,\s*(#.*)?$')
capability \s* means the regex will also allow "capabilitysetuid".
I'd propose something like (untested)
... capability(\s+\S+)?\s*,\s*(#.*)?$')
or
... capability(\s+(\S+))?\s*,\s*(#.*)?$')
(not sure how the nested parenthesis change the matches[] numbering)
...
> - capability = matches[2]
> + capability = ALL
> + if matches[2]:
> + capability = matches[2]
If you choose the first regex I propose, you'll probably need to use
matches[2].trim here.
With the regex changed and a TODO note for duplicate removal,
Acked-by: Christian Boltz <apparmor at cboltz.de>
Regards,
Christian Boltz
--
>That release went far too smooth after we had everything together ;-)
That on it's own should have set off the alarm bells :-)
[> Andreas Jaeger and David Bolt in opensuse-factory]
More information about the AppArmor
mailing list