[apparmor] [patch] Remove support for writing change hat declarations ("^hat, ")
Kshitij Gupta
kgupta8592 at gmail.com
Fri Jun 19 18:15:34 UTC 2015
Hello,
On Sun, Jun 7, 2015 at 6:21 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> change hat declarations ("^hat,") are no longer supported (see patch 46
> for details). Therefore remove support for writing them.
>
> This also means to completely remove the 'declared' flag, which was only
> needed for hat declarations, and was (after applying patch 46) always
> set to False.
>
> Also add a hat to the cleanprof_test.{in,out} test profile to make sure
> aa-cleanprof doesn't break hats.
>
> (This is "just" a cleanup, so trunk only)
>
>
> [ 47-remove-support-for-writing-hat-declarations.diff ]
>
> === modified file utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-06-07 14:09:36.000405129 +0200
> +++ utils/apparmor/aa.py 2015-06-07 14:32:03.483282738 +0200
> @@ -108,7 +108,7 @@
> # a) rules (as dict): alias, include, lvar
> # b) rules (as hasher): allow, deny
> # c) one for each rule class
> -# d) other: declared, external, flags, name, profile, attachment,
> initial_comment,
> +# d) other: external, flags, name, profile, attachment, initial_comment,
> # profile_keyword, header_comment (these two are currently only
> set by set_profile_flags())
> aa = hasher() # Profiles originally in sd, replace by aa
> original_aa = hasher()
> @@ -1442,7 +1442,6 @@
> ynans = aaui.UI_YesNo(_('A profile for %s
> does not exist.\nDo you want to create one?') % exec_target, 'n')
> if ynans == 'y':
> hat = exec_target
> - aa[profile][hat]['declared'] = False
> aa[profile][hat]['profile'] = True
>
> if profile != hat:
> @@ -3007,7 +3006,6 @@
> flags = matches.group('flags')
>
> profile_data[profile][hat]['flags'] = flags
> - profile_data[profile][hat]['declared'] = False
> #profile_data[profile][hat]['allow']['path'] = hasher()
> #profile_data[profile][hat]['allow']['netdomain'] = hasher()
>
> @@ -3473,15 +3471,11 @@
> data += write_rules(profile_data[name], depth + 1)
>
> pre2 = ' ' * (depth + 1)
> - # External hat declarations
> - for hat in list(filter(lambda x: x != name,
> sorted(profile_data.keys()))):
> - if profile_data[hat].get('declared', False):
> - data.append('%s^%s,' % (pre2, hat))
>
> if not inhat:
> # Embedded hats
> for hat in list(filter(lambda x: x != name,
> sorted(profile_data.keys()))):
> - if not profile_data[hat]['external'] and not
> profile_data[hat]['declared']:
> + if not profile_data[hat]['external']:
> data.append('')
> if profile_data[hat]['profile']:
> data += list(map(str, write_header(profile_data[hat],
> depth + 1, hat, True, write_flags)))
> @@ -3730,7 +3724,7 @@
> depth = int((len(line) - len(line.lstrip())) / 2)
> pre2 = ' ' * (depth + 1)
> for hat in list(filter(lambda x: x != name,
> sorted(profile_data.keys()))):
> - if not profile_data[hat]['external'] and not
> profile_data[hat]['declared']:
> + if not profile_data[hat]['external']:
> data.append('')
> if profile_data[hat]['profile']:
> data += list(map(str,
> write_header(profile_data[hat], depth + 1, hat, True, include_flags)))
> @@ -3990,16 +3984,9 @@
> data.append(line)
>
> elif RE_PROFILE_CHANGE_HAT.search(line):
> - matches = RE_PROFILE_CHANGE_HAT.search(line).groups()
> - hat = matches[0]
> - hat = strip_quotes(hat)
> - if not write_prof_data[hat]['declared']:
> - correct = False
> - if correct:
> - data.append(line)
> - else:
> - #To-Do
> - pass
> + # "^hat," declarations are no longer supported, ignore
> them and don't write out the line
> + # (parse_profile_data() already prints a warning about
> that)
> + pass
> elif RE_PROFILE_HAT_DEF.search(line):
> matches = RE_PROFILE_HAT_DEF.search(line)
> in_contained_hat = True
> @@ -4009,8 +3996,6 @@
>
> if not write_prof_data[hat]['flags'] == flags:
> correct = False
> - if not write_prof_data[hat]['declared'] is False:
> - correct = False
> if not write_filelist['profile'][profile][hat]:
> correct = False
> if correct:
> === modified file utils/test/cleanprof_test.in
> --- utils/test/cleanprof_test.in 2015-05-25 17:30:59.798783638
> +0200
> +++ utils/test/cleanprof_test.in 2015-06-07 14:45:06.807307887
> +0200
> @@ -7,6 +7,12 @@
> #Below rule comes from abstractions/base
> allow /usr/share/X11/locale/** r,
> allow /home/*/** r,
> +
> + ^foo {
> + /etc/fstab r,
> + capability dac_override,
> + }
> +
>
umm why not also add a test for the removed/incorrect case of hat
declaration? The output would remain untouched just a ^foo, would be added
(If I understand correctly).
> allow /home/foo/bar r,
> allow /home/foo/** w,
> }
> === modified file utils/test/cleanprof_test.out
> --- utils/test/cleanprof_test.out 2015-05-25 17:30:59.798783638 +0200
> +++ utils/test/cleanprof_test.out 2015-06-07 14:46:15.334296605 +0200
> @@ -9,6 +9,13 @@
> /home/*/** r,
> /home/foo/** w,
>
> +
> + ^foo {
> + capability dac_override,
> +
> + /etc/fstab r,
> +
> + }
> }
> /usr/bin/other/cleanprof/test/profile {
> /home/*/** rw,
>
>
Thanks for the patch. Looks fine to me.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
>
> Regards,
>
> Christian Boltz
> --
> IT is everything that is more complicated than pushing buttons in
> the elevator. [from http://www.orkpiraten.de/blog/ugly-kid-jeans]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
Regards,
Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150619/9a0adf79/attachment.html>
More information about the AppArmor
mailing list