[apparmor] [patch] Update aa-mergeprof to use the NetworkRule(set) class layout
Christian Boltz
apparmor at cboltz.de
Sun May 17 17:16:21 UTC 2015
Hello,
Am Sonntag, 17. Mai 2015 schrieb Christian Boltz:
> I tested all changes manually.
... and another test with a different profile resulted in a crash
because other.aa[profile][hat]['network'] wasn't initialized :-(
Here's the updated patch that
- adds a check for that
- moves around the remaining "if 1 == 1: # avoid whitespace change"
- moves setting q.functions outside the if block and de-duplicates it
[ 08-mergeprof-network-rule.diff ]
=== modified file utils/aa-mergeprof
--- utils/aa-mergeprof 2015-05-17 18:54:52.750566063 +0200
+++ utils/aa-mergeprof 2015-05-17 19:07:35.296852571 +0200
@@ -714,37 +715,45 @@
elif re.search('\d', ans):
default_option = ans
- #
- for allow in ['allow', 'deny']:
- for family in sorted(other.aa[profile][hat][allow]['netdomain']['rule'].keys()):
- # severity handling for net toggles goes here
+ if 1 == 1: # avoid whitespace change
+ if other.aa[profile][hat].get('network', False): # needed until we have proper profile initialization
+ for net_obj in other.aa[profile][hat]['network'].rules:
+ # severity handling for net toggles goes here
+
+ if apparmor.aa.is_known_rule(self.user.aa[profile][hat], 'network', net_obj):
+ continue
- for sock_type in sorted(other.aa[profile][hat][allow]['netdomain']['rule'][family].keys()):
- #if apparmor.aa.profile_known_network(self.user.aa[profile][hat], family, sock_type):
- # continue
- # disabled for now because it crashes, for details and impact see
- # https://bugs.launchpad.net/apparmor/+bug/1382241
+ if net_obj.all_domains:
+ family = 'ALL'
+ else:
+ family = net_obj.domain
+
+ if net_obj.all_type_or_protocols:
+ sock_type = 'ALL'
+ else:
+ sock_type = net_obj.type_or_protocol
default_option = 1
options = []
- newincludes = apparmor.aa.match_net_includes(self.user.aa[profile][hat], family, sock_type)
+ newincludes = apparmor.aa.match_includes(self.user.aa[profile][hat], 'network', net_obj)
q = aaui.PromptQuestion()
if newincludes:
options += list(map(lambda s: '#include <%s>'%s, sorted(set(newincludes))))
if True:#options:
- options.append('network %s %s' % (family, sock_type))
+ options.append(net_obj.get_clean())
q.options = options
q.selected = default_option - 1
+ audit = ''
+ if net_obj.audit:
+ audit = 'audit '
+
q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
- q.headers += [_('Network Family'), family]
+ q.headers += [_('Network Family'), audit + family]
q.headers += [_('Socket Type'), sock_type]
- audit_toggle = 0
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
- 'CMD_ABORT', 'CMD_FINISHED']
-
- q.default = 'CMD_ALLOW'
+ q.functions = available_buttons(net_obj)
+ q.default = q.functions[0]
done = False
while not done:
@@ -757,15 +766,19 @@
return
if ans.startswith('CMD_AUDIT'):
- audit_toggle = not audit_toggle
- audit = ''
- if audit_toggle:
- audit = 'audit'
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF',
- 'CMD_ABORT', 'CMD_FINISHED']
+ if ans == 'CMD_AUDIT_NEW':
+ net_obj.audit = True
+ net_obj.raw_rule = None
+ audit = 'audit '
else:
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
- 'CMD_ABORT', 'CMD_FINISHED']
+ net_obj.audit = False
+ net_obj.raw_rule = None
+ audit = ''
+
+ q.functions = available_buttons(net_obj)
+ options[len(options) - 1] = net_obj.get_clean()
+ q.options = options
+
q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
q.headers += [_('Network Family'), audit + family]
q.headers += [_('Socket Type'), sock_type]
@@ -788,8 +801,7 @@
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else:
- self.user.aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle
- self.user.aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True
+ self.user.aa[profile][hat]['network'].add(net_obj)
apparmor.aa.changed[profile] = True
@@ -797,12 +809,32 @@
elif ans == 'CMD_DENY':
done = True
- self.user.aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True
+ net_obj.deny = True
+ net_obj.raw_rule = None
+ self.user.aa[profile][hat]['network'].add(net_obj)
apparmor.aa.changed[profile] = True
aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type })
else:
done = False
+
+def available_buttons(rule_obj):
+ buttons = []
+
+ if not rule_obj.deny:
+ buttons += ['CMD_ALLOW']
+
+ buttons += ['CMD_DENY', 'CMD_IGNORE_ENTRY']
+
+ if rule_obj.audit:
+ buttons += ['CMD_AUDIT_OFF']
+ else:
+ buttons += ['CMD_AUDIT_NEW']
+
+ buttons += ['CMD_ABORT', 'CMD_FINISHED']
+
+ return buttons
+
if __name__ == '__main__':
main()
Regards,
Christian Boltz
--
Naja, wer in der bekannten närrischen Zeit an jemanden in einer der
Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor
Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern
und ansprechbar. ;)) [Martin Falley in suse-linux]
More information about the AppArmor
mailing list