[apparmor] [3/4] Change aa.py to use ChangeProfileRule and ChangeProfileRuleset
Christian Boltz
apparmor at cboltz.de
Sat May 9 20:39:08 UTC 2015
Hello,
this patch changes aa.py to use ChangeProfileRule and
ChangeProfileRuleset instead of a sub-hasher to store and write
change_profile rules. In detail:
- drop all the change_profile rule parsing from parse_profile_data() and
serialize_profile_from_old_profile() - instead, just call
ChangeProfileRule.parse()
- change write_change_profile to use ChangeProfileRuleset
- add removal of superfluous/duplicate change_profile rules (the old
code didn't do this)
Note that this patch is much smaller than the NetworkRule and
CapabilityRule patches because aa-logprof doesn't ask for adding
change_profile rules - adding that is something for a later patch.
[ 03-use-ChangeProfileRule.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-05-08 23:54:27.253524901 +0200
+++ utils/apparmor/aa.py 2015-05-09 21:50:30.012689700 +0200
@@ -41,7 +41,7 @@
flatten_mode, owner_flatten_mode)
from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
- RE_PROFILE_CHANGE_PROFILE, RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT,
+ RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT,
RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL,
RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
@@ -54,6 +54,7 @@
import apparmor.rules as aarules
from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
+from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
from apparmor.rule.network import NetworkRuleset, NetworkRule
from apparmor.rule import parse_modifiers, quote_if_needed
@@ -2126,6 +2127,7 @@
if include.get(incname, False):
deleted += profile['network'].delete_duplicates(include[incname][incname]['network'])
deleted += profile['capability'].delete_duplicates(include[incname][incname]['capability'])
+ deleted += profile['change_profile'].delete_duplicates(include[incname][incname]['change_profile'])
deleted += delete_path_duplicates(profile, incname, 'allow')
deleted += delete_path_duplicates(profile, incname, 'deny')
@@ -2133,6 +2135,7 @@
elif filelist.get(incname, False):
deleted += profile['network'].delete_duplicates(filelist[incname][incname]['network'])
deleted += profile['capability'].delete_duplicates(filelist[incname][incname]['capability'])
+ deleted += profile['change_profile'].delete_duplicates(filelist[incname][incname]['change_profile'])
deleted += delete_path_duplicates(profile, incname, 'allow')
deleted += delete_path_duplicates(profile, incname, 'deny')
@@ -2667,6 +2670,7 @@
profile_data[profile][hat]['flags'] = flags
profile_data[profile][hat]['network'] = NetworkRuleset()
+ profile_data[profile][hat]['change_profile'] = ChangeProfileRuleset()
profile_data[profile][hat]['allow']['path'] = hasher()
profile_data[profile][hat]['allow']['dbus'] = list()
profile_data[profile][hat]['allow']['mount'] = list()
@@ -2739,14 +2743,11 @@
else:
profile_data[profile][hat][allow]['link'][link]['audit'] = set()
- elif RE_PROFILE_CHANGE_PROFILE.search(line):
- matches = RE_PROFILE_CHANGE_PROFILE.search(line).groups()
-
+ elif ChangeProfileRule.match(line):
if not profile:
raise AppArmorException(_('Syntax Error: Unexpected change profile entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
- cp = strip_quotes(matches[0])
- profile_data[profile][hat]['change_profile'][cp] = True
+ profile_data[profile][hat]['change_profile'].add(ChangeProfileRule.parse(line))
elif RE_PROFILE_ALIAS.search(line):
matches = RE_PROFILE_ALIAS.search(line).groups()
@@ -3291,7 +3292,10 @@
return write_single(prof_data, depth, '', 'include', '#include <', '>')
def write_change_profile(prof_data, depth):
- return write_single(prof_data, depth, '', 'change_profile', 'change_profile -> ', ',')
+ data = []
+ if prof_data.get('change_profile', False):
+ data = prof_data['change_profile'].get_clean(depth)
+ return data
def write_alias(prof_data, depth):
return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ', ',', quote_if_needed)
@@ -3866,22 +3870,14 @@
# To-Do
pass
- elif RE_PROFILE_CHANGE_PROFILE.search(line):
- matches = RE_PROFILE_CHANGE_PROFILE.search(line).groups()
- cp = strip_quotes(matches[0])
-
- if not write_prof_data[hat]['change_profile'][cp] is True:
- correct = False
-
- if correct:
+ elif ChangeProfileRule.match(line):
+ change_profile_obj = ChangeProfileRule.parse(line)
+ if write_prof_data[hat]['change_profile'].is_covered(change_profile_obj, True, True):
if not segments['change_profile'] and True in segments.values():
data += write_prior_segments(write_prof_data[name], segments, line)
segments['change_profile'] = True
- write_prof_data[hat]['change_profile'].pop(cp)
+ write_prof_data[hat]['change_profile'].delete(change_profile_obj)
data.append(line)
- else:
- #To-Do
- pass
elif RE_PROFILE_ALIAS.search(line):
matches = RE_PROFILE_ALIAS.search(line).groups()
Regards,
Christian Boltz
--
Wir sind vom LinuxTag e.V., Widerstand ist zwecklos.
Sie werden assimiliert.
[Henning Heinold - LinuxTag fortune]
More information about the AppArmor
mailing list