[apparmor] [patch] fix leading whitespace in "(V)iew changes" and cleanup profile writing

Christian Boltz apparmor at cboltz.de
Fri Nov 14 01:33:04 UTC 2014 

Hello,

funny things while working on the rule class, part $big_number:

The diff displayed by (V)iew changes in aa-logprof lacks leading 
whitespace because it bases the whitespace on the indention level of the 
closing "}".

Besides that, it uses different values for the indention level for newly 
added rule types than for existing rule types. (For example, if a 
profile already had a network rule, added network rules will get a 
different indention level.) However you won't notice this because
currently it doesn't indent the rules at all ;-)

This patch fixes serialize_profile_from_old_profile() in aa.py so that 
it always uses the correct indention level.


Also clean up and simplify how the profile is written in the end (when 
matching RE_PROFILE_END) - we already have "write_methods", so we can
just re-use it instead of "manually" calling one write_* function after 
the other. Unfortunately dicts don't keep their original order, 
therefore I had to introduce "default_write_order" (any better idea?)


Finally, add some missing rule types to "segments" to avoid key errors.



[ aa.py-fix-depth-simplify-view-changes.diff ]

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2014-11-11 23:05:04 +0000
+++ utils/apparmor/aa.py        2014-11-14 01:02:01 +0000
@@ -3775,6 +3767,21 @@
                          'path': write_paths,
                          'change_profile': write_change_profile,
                          }
+        default_write_order = [ 'alias',
+                                'lvar',
+                                'include',
+                                'rlimit',
+                                'capability',
+                                'netdomain',
+                                'dbus',
+                                'mount',
+                                'signal',
+                                'ptrace',
+                                'pivot_root',
+                                'link',
+                                'path',
+                                'change_profile',
+                              ]
         # prof_correct = True  # XXX correct?
         segments = {'alias': False,
                     'lvar': False,
@@ -3783,10 +3790,14 @@
                     'capability': False,
                     'netdomain': False,
                     'dbus': False,
+                    'mount': True, # not handled otherwise yet
+                    'signal': True, # not handled otherwise yet
+                    'ptrace': True, # not handled otherwise yet
+                    'pivot_root': True, # not handled otherwise yet
                     'link': False,
                     'path': False,
                     'change_profile': False,
-                    'include_local_started': False,
+                    'include_local_started': False, # unused
                     }
         #data.append('reading prof')
         for line in f_in:
@@ -3844,31 +3855,22 @@
             elif RE_PROFILE_END.search(line):
                 # DUMP REMAINDER OF PROFILE
                 if profile:
-                    depth = len(line) - len(line.lstrip())
-                    if True in segments.values():
-                        for segs in list(filter(lambda x: segments[x], segments.keys())):
+                    depth = int(len(line) - len(line.lstrip()) / 2) + 1
 
+                    # first write sections that were modified (and remove them from write_prof_data)
+                    #for segs in write_methods.keys():
+                    for segs in default_write_order:
+                        if segments[segs]:
-                            data += write_methods[segs](write_prof_data[name], int(depth / 2))
+                            data += write_methods[segs](write_prof_data[name], depth)
                             segments[segs] = False
                             if write_prof_data[name]['allow'].get(segs, False):
                                 write_prof_data[name]['allow'].pop(segs)
                             if write_prof_data[name]['deny'].get(segs, False):
                                 write_prof_data[name]['deny'].pop(segs)
 
-                    data += write_alias(write_prof_data[name], depth)
-                    data += write_list_vars(write_prof_data[name], depth)
-                    data += write_includes(write_prof_data[name], depth)
-                    data += write_rlimits(write_prof_data, depth)
-                    data += write_capabilities(write_prof_data[name], depth)
-                    data += write_netdomain(write_prof_data[name], depth)
-                    data += write_dbus(write_prof_data[name], depth)
-                    data += write_mount(write_prof_data[name], depth)
-                    data += write_signal(write_prof_data[name], depth)
-                    data += write_ptrace(write_prof_data[name], depth)
-                    data += write_pivot_root(write_prof_data[name], depth)
-                    data += write_links(write_prof_data[name], depth)
-                    data += write_paths(write_prof_data[name], depth)
-                    data += write_change_profile(write_prof_data[name], depth)
+                    # then write everything else
+                    for segs in default_write_order:
+                        data += write_methods[segs](write_prof_data[name], depth)
 
                     write_prof_data.pop(name)
 


Regards,

Christian Boltz
-- 
:O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es
dann so ein Pyramidenschema?   Bekommt man eine Prämie,  wenn man einen
weiteren Newbie in sein Unglück lockt?   [Thorsten Haude in suse-linux]

More information about the AppArmor mailing list