[apparmor] [patch] Update aa-mergeprof to use the CapabilityRule(set) class layout

Christian Boltz apparmor at cboltz.de
Sun May 17 17:25:21 UTC 2015


Hello,

Am Donnerstag, 14. Mai 2015 schrieb Christian Boltz:
> [ 06-mergeprof-capability-rule.diff ]

Here's an updated patch with two small changes:
- update comment about the other.aa[profile][hat].get('capability') 
  check - if it's needed for network rules, then it's probably also 
  needed for capability rules ;-)
- use is_known_rule() instead of is_covered() so that include files are
  also checked


[ 06-mergeprof-capability-rule.diff ]

=== modified file utils/aa-mergeprof
--- utils/aa-mergeprof  2015-05-17 19:16:48.381652462 +0200
+++ utils/aa-mergeprof  2015-05-17 19:18:53.885346883 +0200
@@ -309,32 +309,51 @@
                     return
 
             #Add the capabilities
-            for allow in ['allow', 'deny']:
-                if other.aa[profile][hat].get(allow, False):
-                    continue
-                for capability in sorted(other.aa[profile][hat][allow]['capability'].keys()):
-                    severity = sev_db.rank('CAP_%s' % capability)
+            if other.aa[profile][hat].get('capability', False): # needed until we have proper profile initialization
+                for cap_obj in other.aa[profile][hat]['capability'].rules:
+
+                    if apparmor.aa.is_known_rule(self.user.aa[profile][hat], 'capability', cap_obj):
+                        continue
+
+                    if cap_obj.all_caps:
+                        severity = 10
+                        cap_txt = 'ALL'
+                    else:
+                        cap_txt = ' '.join(cap_obj.capability)
+                        severity = 0
+                        for cap in cap_obj.capability:
+                            severity = max(severity, sev_db.rank('CAP_%s' % cap))
+
+                    if cap_obj.deny:
+                        cap_txt = 'deny %s' % cap_txt
+
+                    if cap_obj.audit:
+                        cap_txt = 'audit %s' % cap_txt
+
                     default_option = 1
                     options = []
-                    newincludes = apparmor.aa.match_cap_includes(self.user.aa[profile][hat], capability)
+                    newincludes = apparmor.aa.match_includes(self.user.aa[profile][hat], 'capability', cap_obj)
                     q = aaui.PromptQuestion()
                     if newincludes:
                         options += list(map(lambda inc: '#include <%s>' %inc, sorted(set(newincludes))))
 
                     if options:
-                        options.append('capability %s' % capability)
+                        options.append(cap_obj.get_clean())
                         q.options = options
                         q.selected = default_option - 1
 
                     q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
-                    q.headers += [_('Capability'), capability]
+                    q.headers += [_('Capability'), cap_txt]
                     q.headers += [_('Severity'), severity]
 
                     audit_toggle = 0
 
-                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED']
+                    q.functions = []
+                    if not cap_obj.deny:
+                        q.functions += ['CMD_ALLOW']
+                    q.functions += ['CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED']
 
-                    q.default = 'CMD_ALLOW'
+                    q.default = q.functions[0]
 
                     done = False
                     while not done:
@@ -362,19 +381,20 @@
                                 if deleted:
                                     aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
 
-                            self.user.aa[profile][hat]['allow']['capability'][capability]['set'] = True
-                            self.user.aa[profile][hat]['allow']['capability'][capability]['audit'] = other.aa[profile][hat]['allow']['capability'][capability]['audit']
+                            self.user.aa[profile][hat]['capability'].add(cap_obj)
 
                             apparmor.aa.changed[profile] = True
 
-                            aaui.UI_Info(_('Adding capability %s to profile.'), capability)
+                            aaui.UI_Info(_('Adding %s to profile.') % cap_obj.get_clean())
                             done = True
 
                         elif ans == 'CMD_DENY':
-                            self.user.aa[profile][hat]['deny']['capability'][capability]['set'] = True
+                            cap_obj.deny = True
+                            cap_obj.raw_rule = None  # reset raw rule after manually modifying cap_obj
+                            self.user.aa[profile][hat]['capability'].add(cap_obj)
                             apparmor.aa.changed[profile] = True
 
-                            aaui.UI_Info(_('Denying capability %s to profile.') % capability)
+                            aaui.UI_Info(_('Adding %s to profile.') % cap_obj.get_clean())
                             done = True
                         else:
                             done = False
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-05-17 19:16:48.384652288 +0200
+++ utils/apparmor/aa.py        2015-05-14 01:51:45.582085900 +0200
@@ -2154,11 +2154,6 @@
     return match_includes(incname, 'network', network_obj)
 
 
-def match_cap_includes(profile, capability):
-    # still used by aa-mergeprof
-    capability_obj = CapabilityRule(capability)
-    return match_includes(profile, 'capability', capability_obj)
-
 def match_includes(profile, rule_type, rule_obj):
     newincludes = []
     for incname in include.keys():




Regards,

Christian Boltz
-- 
> > Ein einziges Wort: Gentoo.
> NEEEEEIIIIIINNNNNNNNNN *duck_und_wegrenn*
Psssssssssssst. Ich sagte doch nur "ein Wort". ;-)
[> Bernhard Walle und Tobias Weisserth in suse-linux]




More information about the AppArmor mailing list