[apparmor] [patch] Change aa.py to use RlimitRule and RlimitRuleset
Kshitij Gupta
kgupta8592 at gmail.com
Fri Jun 19 18:48:16 UTC 2015
Hello,
On Fri, Jun 5, 2015 at 6:56 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> this patch changes aa.py to use RlimitRule and RlimitRuleset instead of
> a sub-hasher to store and write rlimit rules. In detail:
> - drop all rlimit rule parsing from parse_profile_data() and
> serialize_profile_from_old_profile() - instead, just call
> RlimitRule.parse()
> - change write_rlimits() to use RlimitRuleset
> - add removal of superfluous/duplicate change_profile rules (the old
> code didn't do this)
> - update the comment about aa[profile][hat] usage - rlimit and
> change_profile are no longer dicts.
>
> Also cleanup RE_PROFILE_RLIMIT in regex.py - the parenthesis around
> '<=' are no longer needed.
>
>
> Note: This patch is quite small because aa-logprof doesn't ask for
> rlimit rules.
>
> I tested all changes manually with aa-cleanprof and aa-logprof (adding
> some file rules, rlimit rules kept unchanged)
>
>
> [ 44-use-RlimitRule.diff ]
>
> Thanks for the patch. Looks fine to me.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
=== modified file utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-06-05 14:07:18.252686648 +0200
> +++ utils/apparmor/aa.py 2015-06-05 14:40:18.998189733 +0200
> @@ -41,7 +41,7 @@
> flatten_mode, owner_flatten_mode)
>
> from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END,
> RE_PROFILE_LINK,
> - RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT,
> + RE_PROFILE_ALIAS,
> RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE,
> RE_PROFILE_CONDITIONAL,
> RE_PROFILE_CONDITIONAL_VARIABLE,
> RE_PROFILE_CONDITIONAL_BOOLEAN,
> RE_PROFILE_BARE_FILE_ENTRY,
> RE_PROFILE_PATH_ENTRY,
> @@ -56,6 +56,7 @@
> from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
> from apparmor.rule.change_profile import ChangeProfileRuleset,
> ChangeProfileRule
> from apparmor.rule.network import NetworkRuleset, NetworkRule
> +from apparmor.rule.rlimit import RlimitRuleset, RlimitRule
> from apparmor.rule import parse_modifiers, quote_if_needed
>
> from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
> @@ -104,7 +105,7 @@
> transitions = hasher()
>
> # keys used in aa[profile][hat]:
> -# a) rules (as dict): alias, change_profile, include, lvar, rlimit
> +# a) rules (as dict): alias, include, lvar
> # b) rules (as hasher): allow, deny
> # c) one for each rule class
> # d) other: declared, external, flags, name, profile, attachment,
> initial_comment,
> @@ -2069,6 +2070,7 @@
> deleted +=
> profile['network'].delete_duplicates(include[incname][incname]['network'])
> deleted +=
> profile['capability'].delete_duplicates(include[incname][incname]['capability'])
> deleted +=
> profile['change_profile'].delete_duplicates(include[incname][incname]['change_profile'])
> + deleted +=
> profile['rlimit'].delete_duplicates(include[incname][incname]['rlimit'])
>
> deleted += delete_path_duplicates(profile, incname, 'allow')
> deleted += delete_path_duplicates(profile, incname, 'deny')
> @@ -2077,6 +2079,7 @@
> deleted +=
> profile['network'].delete_duplicates(filelist[incname][incname]['network'])
> deleted +=
> profile['capability'].delete_duplicates(filelist[incname][incname]['capability'])
> deleted +=
> profile['change_profile'].delete_duplicates(filelist[incname][incname]['change_profile'])
> + deleted +=
> profile['rlimit'].delete_duplicates(filelist[incname][incname]['rlimit'])
>
> deleted += delete_path_duplicates(profile, incname, 'allow')
> deleted += delete_path_duplicates(profile, incname, 'deny')
> @@ -2597,6 +2600,7 @@
>
> profile_data[profile][hat]['network'] = NetworkRuleset()
> profile_data[profile][hat]['change_profile'] =
> ChangeProfileRuleset()
> + profile_data[profile][hat]['rlimit'] = RlimitRuleset()
> profile_data[profile][hat]['allow']['path'] = hasher()
> profile_data[profile][hat]['allow']['dbus'] = list()
> profile_data[profile][hat]['allow']['mount'] = list()
> @@ -2688,16 +2692,15 @@
> filelist[file] = hasher()
> filelist[file]['alias'][from_name] = to_name
>
> - elif RE_PROFILE_RLIMIT.search(line):
> - matches = RE_PROFILE_RLIMIT.search(line).groups()
> -
> + elif RlimitRule.match(line):
> if not profile:
> raise AppArmorException(_('Syntax Error: Unexpected
> rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file,
> 'line': lineno + 1 })
>
> - from_name = matches[0]
> - to_name = matches[2]
> + # init rule class (if not done yet)
> + if not profile_data[profile][hat].get('rlimit', False):
> + profile_data[profile][hat]['rlimit'] = RlimitRuleset()
>
> - profile_data[profile][hat]['rlimit'][from_name] = to_name
> +
> profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line))
>
> elif RE_PROFILE_BOOLEAN.search(line):
> matches = RE_PROFILE_BOOLEAN.search(line)
> @@ -3227,7 +3230,10 @@
> return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ',
> ',', quote_if_needed)
>
> def write_rlimits(prof_data, depth):
> - return write_pair(prof_data, depth, '', 'rlimit', 'set rlimit ', ' <=
> ', ',', quote_if_needed)
> + data = []
> + if prof_data.get('rlimit', False):
> + data = prof_data['rlimit'].get_clean(depth)
> + return data
>
> def var_transform(ref):
> data = []
> @@ -3831,20 +3837,14 @@
> #To-Do
> pass
>
> - elif RE_PROFILE_RLIMIT.search(line):
> - matches = RE_PROFILE_RLIMIT.search(line).groups()
> + elif RlimitRule.match(line):
> + rlimit_obj = RlimitRule.parse(line)
>
> - from_name = matches[0]
> - to_name = matches[2]
> -
> - if not write_prof_data[hat]['rlimit'][from_name] ==
> to_name:
> - correct = False
> -
> - if correct:
> + if write_prof_data[hat]['rlimit'].is_covered(rlimit_obj,
> True, True):
> if not segments['rlimit'] and True in
> segments.values():
> data +=
> write_prior_segments(write_prof_data[name], segments, line)
> segments['rlimit'] = True
> - write_prof_data[hat]['rlimit'].pop(from_name)
> + write_prof_data[hat]['rlimit'].delete(rlimit_obj)
> data.append(line)
> else:
> #To-Do
> === modified file utils/apparmor/regex.py
> --- utils/apparmor/regex.py 2015-06-05 15:11:41.644540358 +0200
> +++ utils/apparmor/regex.py 2015-06-05 15:18:22.489599340 +0200
> @@ -33,7 +33,7 @@
> RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY +
> 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
> RE_PROFILE_LINK = re.compile(RE_AUDIT_DENY +
> 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' +
> RE_COMMA_EOL)
> RE_PROFILE_ALIAS =
> re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> -RE_PROFILE_RLIMIT =
> re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*(<=)\s*(?P<value>[^
> ]+)' + RE_COMMA_EOL)
> +RE_PROFILE_RLIMIT =
> re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*<=\s*(?P<value>[^ ]+)'
> + RE_COMMA_EOL)
> RE_PROFILE_BOOLEAN =
> re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL,
> flags=re.IGNORECASE)
> RE_PROFILE_VARIABLE =
> re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL)
> RE_PROFILE_CONDITIONAL =
> re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL)
>
>
> Regards,
>
> Christian Boltz
> --
> [von KDE 3.0.0 auf 3.0.1 updaten]
> > Wenn KDE 3.0.0 noch immer startet wurde 3.0.1 nicht richtig
> > installiert würde ich mal behaupten :)
> newer version, bla bla. Aber eben nicht bei "base"
> naja. Ich habe nun gemerkt, daß es garnicht installiert wurde. [...]
> Ich DAKU (dümmster anzunehmender KDE Updater)
> [> Matthias Hentges und Stefan Onken in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
Regards,
Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150620/0ddf0b81/attachment.html>
More information about the AppArmor
mailing list