[apparmor] [patch] Update aa-mergeprof to use the NetworkRule(set) class layout

Christian Boltz apparmor at cboltz.de
Sun May 17 16:52:24 UTC 2015


Hello,

aa-mergeprof still used the old aa[profile][hat][allow]['netdomain']
which no longer gets populated. This resulted in not asking for merging
any network rules.

This patch changes ask_the_question() to the NetworkRule(set) layout.
Besides that,
- don't ask for network rules that are already covered.
  Using is_known_rule() also fixes
  https://bugs.launchpad.net/apparmor/+bug/1382241
- include the audit keyword in the "Network Family" headline
  (I'd prefer to just use the get_clean() rule, but that's another topic)
- hide "(A)llow" when merging a deny rule
- as a side effect of using NetworkRule, fix crashes for 'network,' and
  'network foo,' rules

To avoid having to repeat the list of available "buttons" and the logic
to update that list, add a available_buttons() function that returns the
list of available buttons depending on rule_obj.deny and rule_obj.audit.


I tested all changes manually.



[ 08-mergeprof-network-rule.diff ]

=== modified file utils/aa-mergeprof
--- utils/aa-mergeprof  2015-05-17 18:34:01.845979666 +0200
+++ utils/aa-mergeprof  2015-05-17 18:39:58.418043744 +0200
@@ -715,36 +716,45 @@
                                 default_option = ans
 
             #
-            for allow in ['allow', 'deny']:
-                for family in sorted(other.aa[profile][hat][allow]['netdomain']['rule'].keys()):
-                    # severity handling for net toggles goes here
+            for net_obj in other.aa[profile][hat]['network'].rules:
+                # severity handling for net toggles goes here
+
+                if apparmor.aa.is_known_rule(self.user.aa[profile][hat], 'network', net_obj):
+                    continue
 
-                    for sock_type in sorted(other.aa[profile][hat][allow]['netdomain']['rule'][family].keys()):
-                        #if apparmor.aa.profile_known_network(self.user.aa[profile][hat], family, sock_type):
-                        #    continue
-                        # disabled for now because it crashes, for details and impact see
-                        # https://bugs.launchpad.net/apparmor/+bug/1382241
+                if net_obj.all_domains:
+                    family = 'ALL'
+                else:
+                    family = net_obj.domain
+
+                if net_obj.all_type_or_protocols:
+                    sock_type = 'ALL'
+                else:
+                    sock_type = net_obj.type_or_protocol
 
+                if 1 == 1: # avoid whitespace change
+                    if 1 == 1:
                         default_option = 1
                         options = []
-                        newincludes = apparmor.aa.match_net_includes(self.user.aa[profile][hat], family, sock_type)
+                        newincludes = apparmor.aa.match_includes(self.user.aa[profile][hat], 'network', net_obj)
                         q = aaui.PromptQuestion()
                         if newincludes:
                             options += list(map(lambda s: '#include <%s>'%s, sorted(set(newincludes))))
                         if True:#options:
-                            options.append('network %s %s' % (family, sock_type))
+                            options.append(net_obj.get_clean())
                             q.options = options
                             q.selected = default_option - 1
 
+                        audit = ''
+                        if net_obj.audit:
+                            audit = 'audit '
+
                         q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
-                        q.headers += [_('Network Family'), family]
+                        q.headers += [_('Network Family'), audit + family]
                         q.headers += [_('Socket Type'), sock_type]
 
-                        audit_toggle = 0
-                        q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
-                                          'CMD_ABORT', 'CMD_FINISHED']
-
-                        q.default = 'CMD_ALLOW'
+                        q.functions = available_buttons(net_obj)
+                        q.default = q.functions[0]
 
                         done = False
                         while not done:
@@ -757,15 +767,20 @@
                                 return
 
                             if ans.startswith('CMD_AUDIT'):
-                                audit_toggle = not audit_toggle
-                                audit = ''
-                                if audit_toggle:
-                                    audit = 'audit'
-                                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF',
-                                                      'CMD_ABORT', 'CMD_FINISHED']
+                                if ans == 'CMD_AUDIT_NEW':
+                                    net_obj.audit = True
+                                    net_obj.raw_rule = None
+                                    audit = 'audit '
+                                    q.functions = available_buttons(net_obj)
                                 else:
-                                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
-                                                      'CMD_ABORT', 'CMD_FINISHED']
+                                    net_obj.audit = False
+                                    net_obj.raw_rule = None
+                                    audit = ''
+                                    q.functions = available_buttons(net_obj)
+
+                                options[len(options) - 1] = net_obj.get_clean()
+                                q.options = options
+
                                 q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
                                 q.headers += [_('Network Family'), audit + family]
                                 q.headers += [_('Socket Type'), sock_type]
@@ -788,8 +803,7 @@
                                         aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
 
                                 else:
-                                    self.user.aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle
-                                    self.user.aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True
+                                    self.user.aa[profile][hat]['network'].add(net_obj)
 
                                     apparmor.aa.changed[profile] = True
 
@@ -797,12 +811,32 @@
 
                             elif ans == 'CMD_DENY':
                                 done = True
-                                self.user.aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True
+                                net_obj.deny = True
+                                net_obj.raw_rule = None
+                                self.user.aa[profile][hat]['network'].add(net_obj)
                                 apparmor.aa.changed[profile] = True
                                 aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type })
 
                             else:
                                 done = False
 
+
+def available_buttons(rule_obj):
+    buttons = []
+
+    if not rule_obj.deny:
+        buttons += ['CMD_ALLOW']
+
+    buttons += ['CMD_DENY', 'CMD_IGNORE_ENTRY']
+
+    if rule_obj.audit:
+        buttons += ['CMD_AUDIT_OFF']
+    else:
+        buttons += ['CMD_AUDIT_NEW']
+
+    buttons += ['CMD_ABORT', 'CMD_FINISHED']
+
+    return buttons
+
 if __name__ == '__main__':
     main()



Regards,

Christian Boltz
-- 
I'm not out to destroy Microsoft. That will just be a
completely unintentional side effect. [Linus Torvalds]




More information about the AppArmor mailing list