[apparmor] [patch] Update cleanprof to also delete superfluous signal etc. rules

Kshitij Gupta kgupta8592 at gmail.com
Wed Nov 18 22:25:07 UTC 2015 

On Fri, Oct 23, 2015 at 8:51 PM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> besides 'signal', also 'change_profile' and 'rlimit' cleanup was missing
> for the main profile.
>
> In aa.py delete_duplicates() (used to check includes), only 'signal' was
> missing.
>
>
>
> [ 10-cleanprof-more-rule-types.diff ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-10-23 15:15:05.562818747 +0200
> +++ utils/apparmor/aa.py        2015-10-23 17:08:32.594881219 +0200
> @@ -2113,7 +2113,7 @@
>      # Allow rules covered by denied rules shouldn't be deleted
>      # only a subset allow rules may actually be denied
>
> -    ruletypes = ['capability', 'change_profile', 'network', 'rlimit']
> +    ruletypes = ['capability', 'change_profile', 'network', 'rlimit',
> 'signal']
>
>      if include.get(incname, False):
>          for rule_type in ruletypes:
> === modified file ./utils/apparmor/cleanprofile.py
> --- utils/apparmor/cleanprofile.py      2015-06-18 23:50:22.428586163 +0200
> +++ utils/apparmor/cleanprofile.py      2015-10-23 17:03:58.344857512 +0200
> @@ -64,12 +64,11 @@
>                  deleted +=
> apparmor.delete_duplicates(self.other.aa[program][hat], inc)
>
>              #Clean duplicate rules in other profile
> -            if not self.same_file:
> -                deleted +=
> self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
> -                deleted +=
> self.other.aa[program][hat]['network'].delete_duplicates(self.profile.aa[program][hat]['network'])
> -            else:
> -                deleted +=
> self.other.aa[program][hat]['capability'].delete_duplicates(None)
> -                deleted +=
> self.other.aa[program][hat]['network'].delete_duplicates(None)
> +            for ruletype in ['capability', 'change_profile', 'network',
> 'rlimit', 'signal']:
>
Maybe move this as a list somewhere up: KNOWN_RULE_TYPES = ['capability',
'change_profile', 'network', 'rlimit', 'signal']

+                if not self.same_file:
> +                    deleted +=
> self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype])
> +                else:
> +                    deleted +=
> self.other.aa[program][hat][ruletype].delete_duplicates(None)
>
>              #Clean the duplicates of path in other profile
>              deleted +=
> delete_path_duplicates(self.profile.aa[program][hat],
> self.other.aa[program][hat], 'allow', self.same_file)
>
>
> Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>

>
> Regards,
>
> Christian Boltz
> --
> :O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es
> dann so ein Pyramidenschema?   Bekommt man eine Prämie,  wenn man einen
> weiteren Newbie in sein Unglück lockt?   [Thorsten Haude in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>



-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151119/9dcead6c/attachment-0001.html>

More information about the AppArmor mailing list