[apparmor] [patch] Centralize the 'ruletypes' list
Christian Boltz
apparmor at cboltz.de
Thu Dec 3 20:55:31 UTC 2015
Hello,
having a list of rule types/classes at several places is annoying and
error-prone. This patch centralizes the list in aa.py.
This also means ask_the_question() in aa.py will now (in theory) support
'change_profile' and 'rlimit'. In practise, that doesn't change anything
because logparser.py doesn't support change_profile events yet - and
rlimit doesn't cause any log events.
Also add some long overdue copyright headers.
[ 24-centralize-ruletypes.diff ]
=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof 2015-11-19 17:42:26.317879173 +0100
+++ utils/aa-mergeprof 2015-12-02 22:37:23.198671126 +0100
@@ -1,6 +1,7 @@
#! /usr/bin/env python
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592 at gmail.com>
+# Copyright (C) 2014-2015 Christian Boltz <apparmor at cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -631,7 +632,7 @@
elif re.search('\d', ans):
default_option = ans
- for ruletype in ['capability', 'change_profile', 'network', 'rlimit', 'signal']:
+ for ruletype in apparmor.aa.ruletypes:
if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization
for rule_obj in other.aa[profile][hat][ruletype].rules:
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-11-29 21:05:50.338348194 +0100
+++ utils/apparmor/aa.py 2015-12-02 22:29:55.825439595 +0100
@@ -61,6 +61,8 @@
from apparmor.rule.signal import SignalRuleset, SignalRule
from apparmor.rule import parse_modifiers, quote_if_needed
+ruletypes = ['capability', 'change_profile', 'network', 'rlimit', 'signal']
+
from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
# setup module translations
@@ -1677,7 +1679,7 @@
signal_obj = SignalRule(access, signal, peer, log_event=aamode)
log_obj[profile][hat]['signal'].add(signal_obj)
- for ruletype in ['capability', 'network', 'signal']:
+ for ruletype in ruletypes:
# XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!
for rule_obj in log_obj[profile][hat][ruletype].rules:
@@ -2161,8 +2163,6 @@
# Allow rules covered by denied rules shouldn't be deleted
# only a subset allow rules may actually be denied
- ruletypes = ['capability', 'change_profile', 'network', 'rlimit', 'signal']
-
if include.get(incname, False):
for rule_type in ruletypes:
deleted += profile[rule_type].delete_duplicates(include[incname][incname][rule_type])
=== modified file ./utils/apparmor/cleanprofile.py
--- utils/apparmor/cleanprofile.py 2015-11-19 17:42:26.317879173 +0100
+++ utils/apparmor/cleanprofile.py 2015-12-02 22:37:19.298695423 +0100
@@ -1,5 +1,6 @@
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592 at gmail.com>
+# Copyright (C) 2014-2015 Christian Boltz <apparmor at cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -64,7 +65,7 @@
deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc)
#Clean duplicate rules in other profile
- for ruletype in ['capability', 'change_profile', 'network', 'rlimit', 'signal']:
+ for ruletype in apparmor.ruletypes:
if not self.same_file:
deleted += self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype])
else:
Regards,
Christian Boltz
--
[BILD] Als langjährig tätiger Strafverteidiger (und Fan von Volker
Pispers) muß ich jedoch dringend davor warnen, stinkende tote Fische in
dieses Freiexemplar der sogenannten "Zeitung" einzuwickeln. Weil das ein
Strafverfahren wegen Beleidigung zulasten des Fisches nach sich ziehen
könnte.
[http://www.kanzlei-hoenig.de/2012/keine-stinkende-tote-fische-im-briefkasten/]
More information about the AppArmor
mailing list