[apparmor] [patch] Improve validate_profile_mode() and drop PROFILE_MODE_NT_RE

Christian Boltz apparmor at cboltz.de
Sun Jul 5 13:53:20 UTC 2015


the only difference between PROFILE_MODE_RE and PROFILE_MODE_NT_RE 
was that the latter one additionally allowed 'x', which looks wrong.
(Standalone 'x' is ok for deny rules, but those are handled by

This patch completely drops PROFILE_MODE_NT_RE and the related code in

Also wrap the two remaining regexes in '^(...)+$' instead of doing it
inside validate_profile_mode(). This makes the code more readable and
also results in a 2% performance improvement when parsing profiles.

I propose this patch for trunk and 2.9, even if it's not as important
for 2.9 as the previous patch.

Fun fact: this was introduced by John in SubDomain.pm r1097 with the
"helpful" commit message "Add new exec modes and many bug fixes" which
described a 634 insertions(+), 226 deletions(-) commit.

[ 64-improve-validate-profile-mode.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-07-05 15:21:55.663027403 +0200
+++ utils/apparmor/aa.py        2015-07-05 15:33:14.837384490 +0200
@@ -2422,28 +2422,18 @@
                         if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
                             log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
-PROFILE_MODE_RE = re.compile('r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix')
-PROFILE_MODE_NT_RE = re.compile('r|w|l|m|k|a|x|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix')
-PROFILE_MODE_DENY_RE = re.compile('r|w|l|m|k|a|x')
+PROFILE_MODE_RE      = re.compile('^(r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix)+$')
+PROFILE_MODE_DENY_RE = re.compile('^(r|w|l|m|k|a|x)+$')
 def validate_profile_mode(mode, allow, nt_name=None):
     if allow == 'deny':
-        pattern = '^(%s)+$' % PROFILE_MODE_DENY_RE.pattern
-        if re.search(pattern, mode):
-            return True
-        else:
-            return False
-    elif nt_name:
-        pattern = '^(%s)+$' % PROFILE_MODE_NT_RE.pattern
-        if re.search(pattern, mode):
+        if PROFILE_MODE_DENY_RE.search(mode):
             return True
             return False
-        pattern = '^(%s)+$' % PROFILE_MODE_RE.pattern
-        if re.search(pattern, mode):
+        if PROFILE_MODE_RE.search(mode):
             return True
             return False


Christian Boltz
Auch wenn da nix sein KANN und Du lieber neue Parameter einbaust. Tust
Du MIR bitte mal den Gefallen und liest Du wenigstens EINMAL Deine
main.cf auf komische Umbrüche und Einträge hin durch? Nur mir zuliebe,
bitte. Ich weiß, ist natürlich Unsinn. Machst Du es trotzdem?
[Peer Heinlein in postfixbuch-users]

More information about the AppArmor mailing list