[apparmor] [patch] rewrite parse_profile_start()

Christian Boltz apparmor at cboltz.de
Tue Mar 17 18:54:12 UTC 2015 

Hello,

this patch rewrites parse_profile_start() in aa.py to a more readable 
version. The behaviour remains unchanged (and is covered by tests).

The patch also updates the comment about the internal struct of 
aa[profile][hat] - initial_comment was missing.


[ 25-rewrite-parse_profile_start.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-03-17 19:49:58.129177681 +0100
+++ utils/apparmor/aa.py        2015-03-17 19:49:07.899127019 +0100
@@ -105,7 +105,7 @@
 # a) rules (as dict): alias, change_profile, include, lvar, rlimit
 # b) rules (as hasher): allow, deny
 # c) one for each rule class
-# d) other: declared, external, flags, name, profile, attachment,
+# d) other: declared, external, flags, name, profile, attachment, initial_comment,
 #           profile_keyword, header_comment (these two are currently only set by set_profile_flags())
 aa = hasher()  # Profiles originally in sd, replace by aa
 original_aa = hasher()
@@ -2641,31 +2641,31 @@
 def parse_profile_start(line, file, lineno, profile, hat):
     matches = parse_profile_start_line(line, file)
 
-    pps_set_profile = False
-    pps_set_hat_external = False
+    if profile:  # we are inside a profile, so we expect a child profile
+        if not matches['profile_keyword']:
+            raise AppArmorException(_('%(profile)s profile in %(file)s contains syntax errors in line %(line)s: missing "profile" keyword.') % {
+                    'profile': profile, 'file': file, 'line': lineno + 1 })
+        if profile != hat:
+            # nesting limit reached - a child profile can't contain another child profile
+            raise AppArmorException(_('%(profile)s profile in %(file)s contains syntax errors in line %(line)s: a child profile inside another child profile is not allowed.') % {
+                    'profile': profile, 'file': file, 'line': lineno + 1 })
 
-    if profile:
-        #print(profile, hat)
-        if profile != hat or not matches['profile_keyword']:
-            raise AppArmorException(_('%(profile)s profile in %(file)s contains syntax errors in line: %(line)s.') % { 'profile': profile, 'file': file, 'line': lineno + 1 })
-    # Keep track of the start of a profile
-    if profile and profile == hat and matches['profile_keyword']:
-        # local profile
         hat = matches['profile']
         in_contained_hat = True
         pps_set_profile = True
-    else:
+        pps_set_hat_external = False
+
+    else:  # stand-alone profile
         profile = matches['profile']
-        #print(profile)
         if len(profile.split('//')) >= 2:
             profile, hat = profile.split('//')[:2]
-        else:
-            hat = None
-        in_contained_hat = False
-        if hat:
             pps_set_hat_external = True
         else:
             hat = profile
+            pps_set_hat_external = False
+
+        in_contained_hat = False
+        pps_set_profile = False
 
     attachment = matches['attachment']
     flags = matches['flags']



Regards,

Christian Boltz
-- 
Als Autofahrer würden die sich vergleichbar in einen PKW setzen der
nicht abschliessbar ist und kein Zündschloss besitzt, dazu noch ein
Zettel an der Tür, "Fahr mich, ich stehe zur Verfügung und bin
Vollgetankt." [Thomas Templin in suse-linux über unsichere Passwörter]

More information about the AppArmor mailing list