[apparmor] [PATCH] utils: Basic support for bare capability rules

Tyler Hicks tyhicks at canonical.com
Thu Mar 20 17:23:59 UTC 2014


On 2014-03-20 13:32:14, Christian Boltz wrote:
> Hello,
> 
> Am Mittwoch, 19. März 2014 schrieb Tyler Hicks:
> > Bug: https://bugs.launchpad.net/bugs/1294819
> > 
> > This patch as minimal support for bare capability rules
> > ("capability,"). It prevents aa.py from emitting a traceback when
> > encountering such a rule.
> > 
> > It only adds the ability to parse and write the bare rule. It doesn't
> > attempt to be clever when deleting duplicate rules, such as realizing
> > that "capability audit_control," can be deleted if "capability," is
> > also present.
> 
> Can you please add a TODO note for this to avoid it gets lost?

Sure

> 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> >  utils/apparmor/aa.py | 14 +++++++++++---
> >  1 file changed, 11 insertions(+), 3 deletions(-)
> > 
> > diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
> > index a81b495..19a140c 100644
> > --- a/utils/apparmor/aa.py
> > +++ b/utils/apparmor/aa.py
> 
> > @@ -2599,7 +2602,7 @@ def attach_profile_data(profiles, profile_data):
> 
> >+RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|
> >deny\s+)?capability\s*(\S+)?\s*,\s*(#.*)?$')
> 
> capability \s* means the regex will also allow "capabilitysetuid".
> 
> I'd propose something like (untested)
> 
> ... capability(\s+\S+)?\s*,\s*(#.*)?$')

I like this one the best

> 
> or
> 
> ... capability(\s+(\S+))?\s*,\s*(#.*)?$')
> 
> (not sure how the nested parenthesis change the matches[] numbering)
> 
> ...
> > -            capability = matches[2]
> > +            capability = ALL
> > +            if matches[2]:
> > +                capability = matches[2]
> 
> If you choose the first regex I propose, you'll probably need to use 
> matches[2].trim here.

Ack (it is .strip() in python)

> 
> With the regex changed and a TODO note for duplicate removal,
> Acked-by: Christian Boltz <apparmor at cboltz.de>

I found another use of the RE_PROFILE_CAP regex, in
serialize_profile_from_old_profile(), that should have been updated. I'm
going to send the patch back out to the list before committing since
that required an additional change.

Tyler

> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> >That release went far too smooth after we had everything together ;-)
> That on it's own should have set off the alarm bells :-)
> [> Andreas Jaeger and David Bolt in opensuse-factory]
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140320/b5e899f4/attachment.pgp>


More information about the AppArmor mailing list