[apparmor] [PATCH] utils: Basic support for bare capability rules
tyhicks at canonical.com
Thu Mar 20 17:23:59 UTC 2014
On 2014-03-20 13:32:14, Christian Boltz wrote:
> Am Mittwoch, 19. März 2014 schrieb Tyler Hicks:
> > Bug: https://bugs.launchpad.net/bugs/1294819
> > This patch as minimal support for bare capability rules
> > ("capability,"). It prevents aa.py from emitting a traceback when
> > encountering such a rule.
> > It only adds the ability to parse and write the bare rule. It doesn't
> > attempt to be clever when deleting duplicate rules, such as realizing
> > that "capability audit_control," can be deleted if "capability," is
> > also present.
> Can you please add a TODO note for this to avoid it gets lost?
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> > utils/apparmor/aa.py | 14 +++++++++++---
> > 1 file changed, 11 insertions(+), 3 deletions(-)
> > diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
> > index a81b495..19a140c 100644
> > --- a/utils/apparmor/aa.py
> > +++ b/utils/apparmor/aa.py
> > @@ -2599,7 +2602,7 @@ def attach_profile_data(profiles, profile_data):
> >+RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|
> capability \s* means the regex will also allow "capabilitysetuid".
> I'd propose something like (untested)
> ... capability(\s+\S+)?\s*,\s*(#.*)?$')
I like this one the best
> ... capability(\s+(\S+))?\s*,\s*(#.*)?$')
> (not sure how the nested parenthesis change the matches numbering)
> > - capability = matches
> > + capability = ALL
> > + if matches:
> > + capability = matches
> If you choose the first regex I propose, you'll probably need to use
> matches.trim here.
Ack (it is .strip() in python)
> With the regex changed and a TODO note for duplicate removal,
> Acked-by: Christian Boltz <apparmor at cboltz.de>
I found another use of the RE_PROFILE_CAP regex, in
serialize_profile_from_old_profile(), that should have been updated. I'm
going to send the patch back out to the list before committing since
that required an additional change.
> Christian Boltz
> >That release went far too smooth after we had everything together ;-)
> That on it's own should have set off the alarm bells :-)
> [> Andreas Jaeger and David Bolt in opensuse-factory]
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the AppArmor