[apparmor] [patch 3/3] use capability rule class in aa.py and cleanprof.py

Christian Boltz apparmor at cboltz.de
Sat Nov 15 22:46:41 UTC 2014


Hello,

this patch changes aa.py and cleanprof.py to use the new capabiliy rule 
class.

The most important details in the change are:
- the capability rules are stored in 
  aa[profile][hat]['capability'] instead of
  aa[profile][hat]['allow']['capability'] and 
  aa[profile][hat]['deny']['capability']
  (allow/deny is handled inside the capability_rules class)
- profile_known_capability() now just returns True or False. Before, it
  returned different values for deny and allow, but the calling code 
  doesn't care about this detail anyway.

Some things are still a bit ugly (and commented as such). On the long 
term, I plan to change logparser so that it returns a set of *_rule 
classes instead of the current array with parsed events. This will 
remove some of the ugly tricks I had to add.

We should also come up with a function that initializes the structure 
for each profile in aa[profile][hat] - with that, we could drop several 
safety checks I had to add to avoid problems with profiles that don't 
contain a capability rule.

I also had to add several
+                    if write_prof_data[name].get(segs, False):
+                        write_prof_data[name][segs].delete_all_rules()
in serialize_profile_from_old_profile(). That's needed to avoid writing 
rules twice. On the positive side, when we have converted everything to 
rule classes, we can delete the four lines above each of these added 
lines :-)

The patch also contains a small bugfix - when choosing "deny" for a 
capability, the audit flag was ignored. Maybe it also fixes some other 
small bugs we didn't even notice before ;-)


Let me finalize this patch series with the line count statistics:
1-add-base-and-capability-rule-class.diff - 329 lines added, 0 removed
2-add-capability-rule-test.diff - 657 lines added, 0 removed
3-use-capability-rule-class.diff - 62 lines added, 107 removed

That all said - I'm looking forward for feedback ;-)

Enjoy reviewing the patches!


Regards,

Christian Boltz
-- 
PHP bietet einige Möglicheiten etwas falsch zu machen. 
Die phpBB Entwickler haben wohl viele dieser Möglichkeiten genutzt.
[Kommentar auf http://www.pro-linux.de/news/2007/12106.html]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3-use-capability-rule-class.diff
Type: text/x-patch
Size: 19247 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141115/4f664c35/attachment.bin>


More information about the AppArmor mailing list