[apparmor] [patch 3/3] use capability rule class in aa.py and cleanprof.py
Christian Boltz
apparmor at cboltz.de
Sat Nov 15 22:46:41 UTC 2014
Hello,
this patch changes aa.py and cleanprof.py to use the new capabiliy rule
class.
The most important details in the change are:
- the capability rules are stored in
aa[profile][hat]['capability'] instead of
aa[profile][hat]['allow']['capability'] and
aa[profile][hat]['deny']['capability']
(allow/deny is handled inside the capability_rules class)
- profile_known_capability() now just returns True or False. Before, it
returned different values for deny and allow, but the calling code
doesn't care about this detail anyway.
Some things are still a bit ugly (and commented as such). On the long
term, I plan to change logparser so that it returns a set of *_rule
classes instead of the current array with parsed events. This will
remove some of the ugly tricks I had to add.
We should also come up with a function that initializes the structure
for each profile in aa[profile][hat] - with that, we could drop several
safety checks I had to add to avoid problems with profiles that don't
contain a capability rule.
I also had to add several
+ if write_prof_data[name].get(segs, False):
+ write_prof_data[name][segs].delete_all_rules()
in serialize_profile_from_old_profile(). That's needed to avoid writing
rules twice. On the positive side, when we have converted everything to
rule classes, we can delete the four lines above each of these added
lines :-)
The patch also contains a small bugfix - when choosing "deny" for a
capability, the audit flag was ignored. Maybe it also fixes some other
small bugs we didn't even notice before ;-)
Let me finalize this patch series with the line count statistics:
1-add-base-and-capability-rule-class.diff - 329 lines added, 0 removed
2-add-capability-rule-test.diff - 657 lines added, 0 removed
3-use-capability-rule-class.diff - 62 lines added, 107 removed
That all said - I'm looking forward for feedback ;-)
Enjoy reviewing the patches!
Regards,
Christian Boltz
--
PHP bietet einige Möglicheiten etwas falsch zu machen.
Die phpBB Entwickler haben wohl viele dieser Möglichkeiten genutzt.
[Kommentar auf http://www.pro-linux.de/news/2007/12106.html]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3-use-capability-rule-class.diff
Type: text/x-patch
Size: 19247 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141115/4f664c35/attachment.bin>
More information about the AppArmor
mailing list