[apparmor] [patch] Change aa.py ask_the_questions() to use the aa-mergeprof code for network rules
Christian Boltz
apparmor at cboltz.de
Mon May 25 10:18:31 UTC 2015
Hello,
this patch replaces the code in aa.py ask_the_questions() that handles
network rules with the ask_the_questions() code initially copied from
aa-mergeprof.
This means to convert the network/netdomain log events to a
NetworkRuleset stored in the log_obj hasher, and then let the code from
aa-mergeprof operate on this hasher.
The user interface is mostly unchanged, with two exceptions:
- options always displayed, even if there is only one option
- some slightly changed texts
If you didn't understand why there's a need for the previous patch, this
one should explain it :-)
[ 28-logprof-use-mergeprof-code-for-network.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-05-25 12:16:58.598806636 +0200
+++ utils/apparmor/aa.py 2015-05-25 12:01:56.029599690 +0200
@@ -1572,7 +1572,15 @@
capability_obj = CapabilityRule(capability, log_event=aamode)
log_obj[profile][hat]['capability'].add(capability_obj)
- for ruletype in ['capability']:
+ if not log_obj[profile][hat].get('network', False):
+ log_obj[profile][hat]['network'] = NetworkRuleset()
+
+ for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):
+ for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):
+ network_obj = NetworkRule(family, sock_type, log_event=aamode)
+ log_obj[profile][hat]['network'].add(network_obj)
+
+ for ruletype in ['capability', 'network']:
# XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!
for rule_obj in log_obj[profile][hat][ruletype].rules:
@@ -1600,7 +1608,7 @@
q.headers = [_('Profile'), combine_name(profile, hat)]
q.headers += rule_obj.logprof_header()
- # Load variables into sev_db? Not needed/used for capabilities.
+ # Load variables into sev_db? Not needed/used for capabilities and network rules.
severity = rule_obj.severity(sev_db)
if severity != '--':
q.headers += [_('Severity'), severity]
@@ -1962,99 +1970,6 @@
elif re.search('\d', ans):
default_option = ans
- #
- for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):
- # severity handling for net toggles goes here
- for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):
- network_obj = NetworkRule(family, sock_type)
- if is_known_rule(aa[profile][hat], 'network', network_obj):
- continue
- default_option = 1
- options = []
- newincludes = match_includes(aa[profile][hat], 'network', network_obj)
- q = aaui.PromptQuestion()
- if newincludes:
- options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))
- if options:
- options.append('network %s %s' % (family, sock_type))
- q.options = options
- q.selected = default_option - 1
-
- q.headers = [_('Profile'), combine_name(profile, hat)]
- q.headers += [_('Network Family'), family]
- q.headers += [_('Socket Type'), sock_type]
-
- audit_toggle = 0
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
- 'CMD_ABORT', 'CMD_FINISHED']
- q.default = 'CMD_DENY'
-
- if aamode == 'PERMITTING':
- q.default = 'CMD_ALLOW'
-
- seen_events += 1
-
- done = False
- while not done:
- ans, selected = q.promptUser()
-
- if ans == 'CMD_FINISHED':
- save_profiles()
- return
-
- if ans == 'CMD_IGNORE_ENTRY':
- done = True
- break
-
- if ans.startswith('CMD_AUDIT'):
- audit_toggle = not audit_toggle
- audit = ''
- if audit_toggle:
- audit = 'audit'
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_OFF',
- 'CMD_ABORT', 'CMD_FINISHED']
- else:
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
- 'CMD_ABORT', 'CMD_FINISHED']
- q.headers = [_('Profile'), combine_name(profile, hat)]
- q.headers += [_('Network Family'), audit + family]
- q.headers += [_('Socket Type'), sock_type]
-
- elif ans == 'CMD_ALLOW':
- if options:
- selection = options[selected]
- else:
- selection = 'network %s %s' % (family, sock_type)
- done = True
- if re_match_include(selection): # re.search('#include\s+<.+>$', selection):
- inc = re_match_include(selection) # re.search('#include\s+<(.+)>$', selection).groups()[0]
- deleted = 0
- deleted = delete_duplicates(aa[profile][hat], inc)
-
- aa[profile][hat]['include'][inc] = True
-
- changed[profile] = True
-
- aaui.UI_Info(_('Adding %s to profile') % selection)
- if deleted:
- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
- else:
- aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle))
-
- changed[profile] = True
-
- aaui.UI_Info(_('Adding network access %(family)s %(type)s to profile.') % { 'family': family, 'type': sock_type })
-
- elif ans == 'CMD_DENY':
- done = True
- aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle, deny=True))
- changed[profile] = True
- aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type })
-
- else:
- done = False
-
def available_buttons(rule_obj):
buttons = []
Regards,
Christian Boltz
--
> Adding a self-removing SuSEconfig script calling rpm -e --noscripts
> would be an ugly but working work-around. [...]
Wow. Stanislav, after all these years you still manage to scare me :)
[> Stanislav Brabec and Stephan Kulow in
https://bugzilla.novell.com/show_bug.cgi?id=310640]
More information about the AppArmor
mailing list