[apparmor] [patch] aa.py: use named match groups for capability
Steve Beattie
steve at nxnw.org
Wed Oct 1 16:38:34 UTC 2014
Hi,
On Fri, Sep 26, 2014 at 10:00:33PM +0200, Christian Boltz wrote:
> this patch converts RE_PROFILE_CAP in aa.py and the code using it to
> named match groups.
>
> (capability is one of the easiest rule types, so it's good as a start.)
>
> The patch also adds basic support for rules containing more than one
> capability, like
> capability chown dac_override,
> Note that this is just a pass-through mode (instead of complaining about
> an invalid line). aa-logprof will happily add another "capability chown"
> if it hits a log entry for it. (But: we never got a bugreport about not
> supporting multi-capability lines, so I guess they are rarely used ;-)
>
> I also added a parse_audit_allow() function to handle the audit and
> allow/deny keywords. They are used in most rule types, which means we
> can get rid of some duplicated code with this function.
>
>
> Finally, update utils/test/test-regex_matches.py - RE_PROFILE_CAP now
> has 5 instead of 4 match groups because of the added multi-capability
> support.
>
> While on it, I also improved the error message in setup_regex_tests()
> to also show the rule that causes a problem.
>
>
> Feel free to comment about named match groups and the other changes
> introduced with this patch in general. Capability is the "prototype",
> similar patches for other rule types will follow sooner or later.
> (I won't complain if someone "grabs" one of the rule types so that I
> don't have to do everything ;-)
Given how complex the regular expressions we use are, named match groups
I think are a needed improvement, which is my way of saying that I like
the direction.
I'm assuming the patch was pasted into KMail, as it had some problems
applying locally due to a mis-formatting error:
> RE_PROFILE_ALIAS = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> @@ -2747,22 +2759,18 @@
Also,
> @@ -3216,6 +3224,21 @@
>
> return profile_data
>
> +def parse_audit_allow(matches):
> + audit = False
> + if matches.group('audit'):
> + audit = True
> +
> + allow = 'allow'
> + allow_keyword = False
> + if matches.group('allow'):
> + allow = matches.group('allow').strip()
> + allow_keyword = True
> + if allow != 'allow' and allow != 'deny': # should never happen
> + raise AppArmorException(_("Invalid allow/deny keyword %s" % allow))
> +
I'm unclear if the extraneous whitespace (there's 4 spaces in the blank
line above) was due to KMail, or exists in your local modifications,
but if it's the latter, please remove it when committing. Which is
probably a funny way of saying Acked-by: Steve Beattie <steve at nxnw.org>.
Thanks!
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141001/97daf1ad/attachment.pgp>
More information about the AppArmor
mailing list