[apparmor] [patch] [5/7] Use PtraceRule

John Johansen john.johansen at canonical.com
Sat Dec 26 23:35:48 UTC 2015 

On 12/08/2015 11:37 AM, Christian Boltz wrote:
> Hello,
> 
> this patch changes aa.py to use PtraceRule and PtraceRuleset in 
> profile_storage(), parse_profile_data() and write_ptrace(). This also 
> means we can drop the now unused parse_ptrace_rule() and 
> write_ptrace_rules() functions.
> 
> Raw_Ptrace_Rule in rules.py is now also unused and can be dropped.
> 
> Also adjust logparser.py to include the peer in the result, and shorten
> the list of known-failing tests in test-parser-simple-tests.py.
> 
> 
Acked-by: John Johansen <john.johansen at canonical.com>

> [ 32-use-PtraceRule.diff ]
> 
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-11-23 23:18:44.164606953 +0100
> +++ utils/apparmor/aa.py        2015-11-23 23:29:08.152598487 +0100
> @@ -47,7 +47,7 @@
>                              RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
>                              RE_PROFILE_CHANGE_HAT,
>                              RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
> -                            RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
> +                            RE_PROFILE_PIVOT_ROOT,
>                              RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
>                              strip_quotes, parse_profile_start_line, re_match_include )
>  
> @@ -56,6 +56,7 @@
>  from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
>  from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
>  from apparmor.rule.network    import NetworkRuleset,    NetworkRule
> +from apparmor.rule.ptrace     import PtraceRuleset,    PtraceRule
>  from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule
>  from apparmor.rule.signal     import SignalRuleset,    SignalRule
>  from apparmor.rule import parse_modifiers, quote_if_needed
> @@ -464,6 +465,7 @@
>      profile['capability']       = CapabilityRuleset()
>      profile['change_profile']   = ChangeProfileRuleset()
>      profile['network']          = NetworkRuleset()
> +    profile['ptrace']           = PtraceRuleset()
>      profile['rlimit']           = RlimitRuleset()
>      profile['signal']           = SignalRuleset()
>  
> @@ -487,7 +489,6 @@
>      # dbus, mount, ptrace, pivot_root, unix have a .get() fallback to list() - initialize them nevertheless
>      profile['allow']['dbus'] = list()
>      profile['allow']['mount'] = list()
> -    profile['allow']['ptrace'] = list()
>      profile['allow']['pivot_root'] = list()
>      profile['allow']['unix'] = list()
>  
> @@ -2985,27 +2986,11 @@
>  
>              profile_data[profile][hat]['signal'].add(SignalRule.parse(line))
>  
> -        elif RE_PROFILE_PTRACE.search(line):
> -            matches = RE_PROFILE_PTRACE.search(line).groups()
> -
> +        elif PtraceRule.match(line):
>              if not profile:
>                  raise AppArmorException(_('Syntax Error: Unexpected ptrace entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
>  
> -            audit = False
> -            if matches[0]:
> -                audit = True
> -            allow = 'allow'
> -            if matches[1] and matches[1].strip() == 'deny':
> -                allow = 'deny'
> -            ptrace = matches[2].strip()
> -
> -            ptrace_rule = parse_ptrace_rule(ptrace)
> -            ptrace_rule.audit = audit
> -            ptrace_rule.deny = (allow == 'deny')
> -
> -            ptrace_rules = profile_data[profile][hat][allow].get('ptrace', list())
> -            ptrace_rules.append(ptrace_rule)
> -            profile_data[profile][hat][allow]['ptrace'] = ptrace_rules
> +            profile_data[profile][hat]['ptrace'].add(PtraceRule.parse(line))
>  
>          elif RE_PROFILE_PIVOT_ROOT.search(line):
>              matches = RE_PROFILE_PIVOT_ROOT.search(line).groups()
> @@ -3150,10 +3135,6 @@
>      # XXX Do real parsing here
>      return aarules.Raw_Mount_Rule(line)
>  
> -def parse_ptrace_rule(line):
> -    # XXX Do real parsing here
> -    return aarules.Raw_Ptrace_Rule(line)
> -
>  def parse_pivot_root_rule(line):
>      # XXX Do real parsing here
>      return aarules.Raw_Pivot_Root_Rule(line)
> @@ -3364,22 +3345,10 @@
>          data = prof_data['signal'].get_clean(depth)
>      return data
>  
> -def write_ptrace_rules(prof_data, depth, allow):
> -    pre = '  ' * depth
> -    data = []
> -
> -    # no ptrace rules, so return
> -    if not prof_data[allow].get('ptrace', False):
> -        return data
> -
> -    for ptrace_rule in prof_data[allow]['ptrace']:
> -        data.append('%s%s' % (pre, ptrace_rule.serialize()))
> -    data.append('')
> -    return data
> -
>  def write_ptrace(prof_data, depth):
> -    data = write_ptrace_rules(prof_data, depth, 'deny')
> -    data += write_ptrace_rules(prof_data, depth, 'allow')
> +    data = []
> +    if prof_data.get('ptrace', False):
> +        data = prof_data['ptrace'].get_clean(depth)
>      return data
>  
>  def write_pivot_root_rules(prof_data, depth, allow):
> === modified file ./utils/apparmor/logparser.py
> --- utils/apparmor/logparser.py 2015-11-19 20:52:32.955014068 +0100
> +++ utils/apparmor/logparser.py 2015-11-23 21:12:40.780338464 +0100
> @@ -140,6 +140,8 @@
>          elif ev['operation'] and ev['operation'] == 'signal':
>              ev['signal'] = event.signal
>              ev['peer'] = event.peer
> +        elif ev['operation'] and ev['operation'] == 'ptrace':
> +            ev['peer'] = event.peer
>  
>          LibAppArmor.free_record(event)
>  
> === modified file ./utils/apparmor/rules.py
> --- utils/apparmor/rules.py     2015-11-19 17:42:26.317879173 +0100
> +++ utils/apparmor/rules.py     2015-11-23 23:24:51.646210516 +0100
> @@ -71,9 +71,6 @@
>  class Raw_Mount_Rule(_Raw_Rule):
>      pass
>  
> -class Raw_Ptrace_Rule(_Raw_Rule):
> -    pass
> -
>  class Raw_Pivot_Root_Rule(_Raw_Rule):
>      pass
>  
> === modified file ./utils/test/test-parser-simple-tests.py
> --- utils/test/test-parser-simple-tests.py      2015-11-19 17:42:26.329879090 +0100
> +++ utils/test/test-parser-simple-tests.py      2015-11-23 23:42:12.571066522 +0100
> @@ -125,15 +125,9 @@
>      'profile/flags/flags_bad_debug_3.sd',
>      'profile/flags/flags_bad_debug_4.sd',
>      'profile/simple_bad_no_close_brace4.sd',
> -    'ptrace/bad_01.sd',
> -    'ptrace/bad_02.sd',
> -    'ptrace/bad_03.sd',
> -    'ptrace/bad_04.sd',
> -    'ptrace/bad_05.sd',
> -    'ptrace/bad_06.sd',
> -    'ptrace/bad_07.sd',
> -    'ptrace/bad_08.sd',
> -    'ptrace/bad_10.sd',
> +    'ptrace/bad_05.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
> +    'ptrace/bad_06.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
> +    'ptrace/bad_10.sd',  # peer with invalid regex
>      'signal/bad_21.sd',  # invalid regex
>      'unix/bad_attr_1.sd',
>      'unix/bad_attr_2.sd',
> 
> 
> Regards,
> 
> Christian Boltz
>

More information about the AppArmor mailing list