[apparmor] [patch] aa.py: use named match groups for capability

Steve Beattie steve at nxnw.org
Wed Oct 1 16:38:34 UTC 2014


Hi,

On Fri, Sep 26, 2014 at 10:00:33PM +0200, Christian Boltz wrote:
> this patch converts RE_PROFILE_CAP in aa.py and the code using it to 
> named match groups.
> 
> (capability is one of the easiest rule types, so it's good as a start.)
> 
> The patch also adds basic support for rules containing more than one 
> capability, like
>     capability chown dac_override,
> Note that this is just a pass-through mode (instead of complaining about 
> an invalid line). aa-logprof will happily add another "capability chown" 
> if it hits a log entry for it. (But: we never got a bugreport about not 
> supporting multi-capability lines, so I guess they are rarely used ;-)
> 
> I also added a parse_audit_allow() function to handle the audit and 
> allow/deny keywords. They are used in most rule types, which means we 
> can get rid of some duplicated code with this function.
> 
> 
> Finally, update utils/test/test-regex_matches.py - RE_PROFILE_CAP now 
> has 5 instead of 4 match groups because of the added multi-capability 
> support.
> 
> While on it, I also improved the error message in setup_regex_tests()
> to also show the rule that causes a problem.
> 
> 
> Feel free to comment about named match groups and the other changes 
> introduced with this patch in general. Capability is the "prototype", 
> similar patches for other rule types will follow sooner or later.
> (I won't complain if someone "grabs" one of the rule types so that I
> don't have to do everything ;-)

Given how complex the regular expressions we use are, named match groups
I think are a needed improvement, which is my way of saying that I like
the direction.

I'm assuming the patch was pasted into KMail, as it had some problems
applying locally due to a mis-formatting error:

>  RE_PROFILE_ALIAS        = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
>  @@ -2747,22 +2759,18 @@

Also,

> @@ -3216,6 +3224,21 @@
>  
>      return profile_data
>  
> +def parse_audit_allow(matches):
> +    audit = False
> +    if matches.group('audit'):
> +        audit = True
> +
> +    allow = 'allow'
> +    allow_keyword = False
> +    if matches.group('allow'):
> +        allow = matches.group('allow').strip()
> +        allow_keyword = True
> +        if allow != 'allow' and allow != 'deny':  # should never happen
> +            raise AppArmorException(_("Invalid allow/deny keyword %s" % allow))
> +    

I'm unclear if the extraneous whitespace (there's 4 spaces in the blank
line above) was due to KMail, or exists in your local modifications,
but if it's the latter, please remove it when committing. Which is
probably a funny way of saying Acked-by: Steve Beattie <steve at nxnw.org>.

Thanks!

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141001/97daf1ad/attachment.pgp>


More information about the AppArmor mailing list