[apparmor] [patch] [5/7] Use PtraceRule
Christian Boltz
apparmor at cboltz.de
Tue Dec 8 19:37:15 UTC 2015
Hello,
this patch changes aa.py to use PtraceRule and PtraceRuleset in
profile_storage(), parse_profile_data() and write_ptrace(). This also
means we can drop the now unused parse_ptrace_rule() and
write_ptrace_rules() functions.
Raw_Ptrace_Rule in rules.py is now also unused and can be dropped.
Also adjust logparser.py to include the peer in the result, and shorten
the list of known-failing tests in test-parser-simple-tests.py.
[ 32-use-PtraceRule.diff ]
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-11-23 23:18:44.164606953 +0100
+++ utils/apparmor/aa.py 2015-11-23 23:29:08.152598487 +0100
@@ -47,7 +47,7 @@
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
RE_PROFILE_CHANGE_HAT,
RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
- RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
+ RE_PROFILE_PIVOT_ROOT,
RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
strip_quotes, parse_profile_start_line, re_match_include )
@@ -56,6 +56,7 @@
from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
from apparmor.rule.network import NetworkRuleset, NetworkRule
+from apparmor.rule.ptrace import PtraceRuleset, PtraceRule
from apparmor.rule.rlimit import RlimitRuleset, RlimitRule
from apparmor.rule.signal import SignalRuleset, SignalRule
from apparmor.rule import parse_modifiers, quote_if_needed
@@ -464,6 +465,7 @@
profile['capability'] = CapabilityRuleset()
profile['change_profile'] = ChangeProfileRuleset()
profile['network'] = NetworkRuleset()
+ profile['ptrace'] = PtraceRuleset()
profile['rlimit'] = RlimitRuleset()
profile['signal'] = SignalRuleset()
@@ -487,7 +489,6 @@
# dbus, mount, ptrace, pivot_root, unix have a .get() fallback to list() - initialize them nevertheless
profile['allow']['dbus'] = list()
profile['allow']['mount'] = list()
- profile['allow']['ptrace'] = list()
profile['allow']['pivot_root'] = list()
profile['allow']['unix'] = list()
@@ -2985,27 +2986,11 @@
profile_data[profile][hat]['signal'].add(SignalRule.parse(line))
- elif RE_PROFILE_PTRACE.search(line):
- matches = RE_PROFILE_PTRACE.search(line).groups()
-
+ elif PtraceRule.match(line):
if not profile:
raise AppArmorException(_('Syntax Error: Unexpected ptrace entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
- audit = False
- if matches[0]:
- audit = True
- allow = 'allow'
- if matches[1] and matches[1].strip() == 'deny':
- allow = 'deny'
- ptrace = matches[2].strip()
-
- ptrace_rule = parse_ptrace_rule(ptrace)
- ptrace_rule.audit = audit
- ptrace_rule.deny = (allow == 'deny')
-
- ptrace_rules = profile_data[profile][hat][allow].get('ptrace', list())
- ptrace_rules.append(ptrace_rule)
- profile_data[profile][hat][allow]['ptrace'] = ptrace_rules
+ profile_data[profile][hat]['ptrace'].add(PtraceRule.parse(line))
elif RE_PROFILE_PIVOT_ROOT.search(line):
matches = RE_PROFILE_PIVOT_ROOT.search(line).groups()
@@ -3150,10 +3135,6 @@
# XXX Do real parsing here
return aarules.Raw_Mount_Rule(line)
-def parse_ptrace_rule(line):
- # XXX Do real parsing here
- return aarules.Raw_Ptrace_Rule(line)
-
def parse_pivot_root_rule(line):
# XXX Do real parsing here
return aarules.Raw_Pivot_Root_Rule(line)
@@ -3364,22 +3345,10 @@
data = prof_data['signal'].get_clean(depth)
return data
-def write_ptrace_rules(prof_data, depth, allow):
- pre = ' ' * depth
- data = []
-
- # no ptrace rules, so return
- if not prof_data[allow].get('ptrace', False):
- return data
-
- for ptrace_rule in prof_data[allow]['ptrace']:
- data.append('%s%s' % (pre, ptrace_rule.serialize()))
- data.append('')
- return data
-
def write_ptrace(prof_data, depth):
- data = write_ptrace_rules(prof_data, depth, 'deny')
- data += write_ptrace_rules(prof_data, depth, 'allow')
+ data = []
+ if prof_data.get('ptrace', False):
+ data = prof_data['ptrace'].get_clean(depth)
return data
def write_pivot_root_rules(prof_data, depth, allow):
=== modified file ./utils/apparmor/logparser.py
--- utils/apparmor/logparser.py 2015-11-19 20:52:32.955014068 +0100
+++ utils/apparmor/logparser.py 2015-11-23 21:12:40.780338464 +0100
@@ -140,6 +140,8 @@
elif ev['operation'] and ev['operation'] == 'signal':
ev['signal'] = event.signal
ev['peer'] = event.peer
+ elif ev['operation'] and ev['operation'] == 'ptrace':
+ ev['peer'] = event.peer
LibAppArmor.free_record(event)
=== modified file ./utils/apparmor/rules.py
--- utils/apparmor/rules.py 2015-11-19 17:42:26.317879173 +0100
+++ utils/apparmor/rules.py 2015-11-23 23:24:51.646210516 +0100
@@ -71,9 +71,6 @@
class Raw_Mount_Rule(_Raw_Rule):
pass
-class Raw_Ptrace_Rule(_Raw_Rule):
- pass
-
class Raw_Pivot_Root_Rule(_Raw_Rule):
pass
=== modified file ./utils/test/test-parser-simple-tests.py
--- utils/test/test-parser-simple-tests.py 2015-11-19 17:42:26.329879090 +0100
+++ utils/test/test-parser-simple-tests.py 2015-11-23 23:42:12.571066522 +0100
@@ -125,15 +125,9 @@
'profile/flags/flags_bad_debug_3.sd',
'profile/flags/flags_bad_debug_4.sd',
'profile/simple_bad_no_close_brace4.sd',
- 'ptrace/bad_01.sd',
- 'ptrace/bad_02.sd',
- 'ptrace/bad_03.sd',
- 'ptrace/bad_04.sd',
- 'ptrace/bad_05.sd',
- 'ptrace/bad_06.sd',
- 'ptrace/bad_07.sd',
- 'ptrace/bad_08.sd',
- 'ptrace/bad_10.sd',
+ 'ptrace/bad_05.sd', # actually contains a capability rule with invalid (ptrace-related) keyword
+ 'ptrace/bad_06.sd', # actually contains a capability rule with invalid (ptrace-related) keyword
+ 'ptrace/bad_10.sd', # peer with invalid regex
'signal/bad_21.sd', # invalid regex
'unix/bad_attr_1.sd',
'unix/bad_attr_2.sd',
Regards,
Christian Boltz
--
Böse Zungen behaupten, ein unterschriebenes Zertifikat bescheinigt
dem Client, daß ein unbekannter Serverbetreiber einem unbekannten
CA-Betreiber Geld bezahlt hat. Das ist natürlich für eine Kommunikation
eine eher nutzlose Garantie.
[http://blog.koehntopp.de/archives/3166-Not-Fixing-SSL.html]
More information about the AppArmor
mailing list