[apparmor] [patch 1/3] add base and capability rule classes

Christian Boltz apparmor at cboltz.de
Sat Nov 15 22:43:51 UTC 2014 

Hello,

This patch adds four classes - two "base" classes and two specific for 
capabilities:

utils/apparmor/rule/__init__.py:

    class base_rule(object):
        Base class to handle and store a single rule

    class base_rules(object):
        Base class to handle and store a collection of rules

utils/apparmor/rule/capability.py:

    class capability_rule(base_rule):
        Class to handle and store a single capability rule

    class capability_rules(base_rules):
        Class to handle and store a collection of capability rules


Most of the code is in the base classes (in __init__.py) - that's code 
that will be reused by each rule class.

capability.py contains only code that is specific to capabilities.


The layout of the base_rules and capability_rules class is not too
different from the proposal I sent some weeks ago. 

The biggest difference is that the class doesn't store the full profile
and include list. When I tried to do this, aa-logprof started to eat 
*lots of* memory before I Ctrl-C'd it in a deepcopy() operation.
Either we find a way to implement this in a sane way that doesn't eat
memory, or we just keep it out ;-)

I didn't implement the functions to propose rules yet - that's something 
for the second round. The interesting question is if we can do this 
inside the class without having the list of include files inside the 
class.


The storage for single rules is more different - initially I planned to
use a dict at least for the simple rule types like capability, but it
turned out that using a class has some advantages.



Here's the list of functions in each class:

utils/apparmor/rule/__init__.py:

class base_rule(object):
    '''Base class to handle and store a single rule'''

    def get_raw(self, depth):
        '''return raw rule (with original formatting, and leading whitespace in the depth parameter)'''

    def audit_allow_str(self):
        '''return the allow/deny and audit keyword as string, including whitespace'''

    def parse_audit_allow(self, matches):
        '''returns audit, deny, allow_keyword and comment from the matches object

class base_rules(object):
    '''Base class to handle and store a collection of rules'''

    def __init__(self):
        self.delete_all_rules()

    def delete_all_rules(self):
        self.rules = []

    def add_raw(self, rawrule):
        '''parse rawrule (from profile file) and store it in a structured way'''

    def get_raw(self, depth):
        '''return all raw rules (if possible/not modified in their original formatting).

    def get_clean(self, depth):
        '''return all rules (in clean/default formatting)

    def covered_obj(self, rule_obj, check_allow_deny = True, check_audit = False):
        '''return True if rule_obj is covered by existing rules, otherwise False'''

    def covered_log(self, parsed_log_event, check_allow_deny = True, check_audit = False):
        '''return True if parsed_log_event is covered by existing rules, otherwise False'''

    def covered_raw(self, rawrule, check_allow_deny = True, check_audit = False):
        '''return True if rawrule is covered by existing rules, otherwise False'''

    def delete_obj(self, rule_obj):
        '''Delete rule_obj from rules'''

    def delete_raw(self, rawrule):
        '''Delete rawrule from rules'''

    def delete_duplicates(self, inccaps):
        '''Delete duplicate rules.

    def get_glob_ext(self, path_or_rule):
        '''returns the next possible glob with extension (for file rules only).


utils/apparmor/rule/capability.py:

class capability_rule(base_rule):
    '''Class to handle and store a single capability rule'''

    def __init__(self):
        self.capability = []

    def get_clean(self, depth):
        '''return rule (in clean/default formatting)'''

    def set_raw(self, rawrule):
        '''parse and store rawrule'''

    def set_log(self, parsed_log_event):
        '''parse and store log event'''

    def covered(self, rule_obj, check_allow_deny = True, check_audit = False):
        '''check if rule_obj is covered by this rule object'''

class capability_rules(base_rules):
    '''Class to handle and store a collection of capability rules'''

    def new_rule(self):
        '''tiny helper function that allows to keep several functions to parent class'''

    def get_glob(self, path_or_rule):
        '''Return the next possible glob. For capability rules, that's always "capability," (all capabilities)'''


Ah, I like it when grep writes my mails ;-)   [1]


Regards,

Christian Boltz

[1] grep -h -A1 '^class\|^ *def' __init__.py capability.py

-- 
Alt ist man, wenn man sich links neben der Leertaste befindet.
[http://twitter.com/nichtstefanraab/status/2799731380]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1-add-base-and-capability-rule-class.diff
Type: text/x-patch
Size: 11527 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141115/6d85d717/attachment.bin>

More information about the AppArmor mailing list