[apparmor] [patch] Change aa.py to use SignalRule and SignalRuleset

Kshitij Gupta kgupta8592 at gmail.com
Wed Nov 18 22:31:38 UTC 2015 

Accidentally hit reply instead of reply all.
Lets see if this goes through.

On Thu, Nov 19, 2015 at 3:50 AM, Kshitij Gupta <kgupta8592 at gmail.com> wrote:

>
>
> On Fri, Oct 23, 2015 at 6:51 PM, Christian Boltz <apparmor at cboltz.de>
> wrote:
>
>> Hello,
>>
>> this patch changes aa.py to use SignalRule and SignalRuleset.
>>
>> This means:
>> - import the classes instead of RE_PROFILE_SIGNAL
>> - simplify signal rule parsing a lot
>> - drop the (now unused) functions parse_signal_rule() and
>> write_signal_rules()
>> - change write_signal() to use the SignalRuleset class
>>
>> Also drop the now unused Raw_Signal_Rule from rules.py.
>>
>> Finally, drop most parser signal tests from the "known wrong results"
>> blacklist in test-parser-simple-tests.py because those tests succeed
>> with SignalRule.
>>
>>
>> [ 09-use-SignalRule.diff ]
>>
>> === modified file ./utils/apparmor/aa.py
>> --- utils/apparmor/aa.py        2015-10-21 22:36:34.763596559 +0200
>> +++ utils/apparmor/aa.py        2015-10-22 23:42:25.162303886 +0200
>> @@ -47,7 +47,7 @@
>>                              RE_PROFILE_BARE_FILE_ENTRY,
>> RE_PROFILE_PATH_ENTRY,
>>                              RE_PROFILE_CHANGE_HAT,
>>                              RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS,
>> RE_PROFILE_MOUNT,
>> -                            RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE,
>> RE_PROFILE_PIVOT_ROOT,
>> +                            RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
>>                              RE_PROFILE_UNIX, RE_RULE_HAS_COMMA,
>> RE_HAS_COMMENT_SPLIT,
>>                              strip_quotes, parse_profile_start_line,
>> re_match_include )
>>
>> @@ -57,6 +57,7 @@
>>  from apparmor.rule.change_profile import ChangeProfileRuleset,
>> ChangeProfileRule
>>  from apparmor.rule.network    import NetworkRuleset,    NetworkRule
>>  from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule
>> +from apparmor.rule.signal     import SignalRuleset,    SignalRule
>>  from apparmor.rule import parse_modifiers, quote_if_needed
>>
>>  from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
>> @@ -463,11 +464,11 @@
>>      profile['change_profile']   = ChangeProfileRuleset()
>>      profile['network']          = NetworkRuleset()
>>      profile['rlimit']           = RlimitRuleset()
>> +    profile['signal']           = SignalRuleset()
>>
>>      profile['allow']['path'] = hasher()
>>      profile['allow']['dbus'] = list()
>>      profile['allow']['mount'] = list()
>> -    profile['allow']['signal'] = list()
>>      profile['allow']['ptrace'] = list()
>>      profile['allow']['pivot_root'] = list()
>>
>> @@ -2919,27 +2921,11 @@
>>              mount_rules.append(mount_rule)
>>              profile_data[profile][hat][allow]['mount'] = mount_rules
>>
>> -        elif RE_PROFILE_SIGNAL.search(line):
>> -            matches = RE_PROFILE_SIGNAL.search(line).groups()
>> -
>> +        elif SignalRule.match(line):
>>              if not profile:
>>                  raise AppArmorException(_('Syntax Error: Unexpected
>> signal entry found in file: %(file)s line: %(line)s') % { 'file': file,
>> 'line': lineno + 1 })
>>
>> -            audit = False
>> -            if matches[0]:
>> -                audit = True
>> -            allow = 'allow'
>> -            if matches[1] and matches[1].strip() == 'deny':
>> -                allow = 'deny'
>> -            signal = matches[2].strip()
>> -
>> -            signal_rule = parse_signal_rule(signal)
>> -            signal_rule.audit = audit
>> -            signal_rule.deny = (allow == 'deny')
>> -
>> -            signal_rules =
>> profile_data[profile][hat][allow].get('signal', list())
>> -            signal_rules.append(signal_rule)
>> -            profile_data[profile][hat][allow]['signal'] = signal_rules
>> +
>> profile_data[profile][hat]['signal'].add(SignalRule.parse(line))
>>
>>          elif RE_PROFILE_PTRACE.search(line):
>>              matches = RE_PROFILE_PTRACE.search(line).groups()
>> @@ -3106,10 +3092,6 @@
>>      # XXX Do real parsing here
>>      return aarules.Raw_Mount_Rule(line)
>>
>> -def parse_signal_rule(line):
>> -    # XXX Do real parsing here
>> -    return aarules.Raw_Signal_Rule(line)
>> -
>>  def parse_ptrace_rule(line):
>>      # XXX Do real parsing here
>>      return aarules.Raw_Ptrace_Rule(line)
>> @@ -3312,22 +3294,10 @@
>>      data += write_mount_rules(prof_data, depth, 'allow')
>>      return data
>>
>> -def write_signal_rules(prof_data, depth, allow):
>> -    pre = '  ' * depth
>> -    data = []
>> -
>> -    # no signal rules, so return
>> -    if not prof_data[allow].get('signal', False):
>> -        return data
>> -
>> -    for signal_rule in prof_data[allow]['signal']:
>> -        data.append('%s%s' % (pre, signal_rule.serialize()))
>> -    data.append('')
>> -    return data
>> -
>>  def write_signal(prof_data, depth):
>> -    data = write_signal_rules(prof_data, depth, 'deny')
>> -    data += write_signal_rules(prof_data, depth, 'allow')
>> +    data = []
>> +    if prof_data.get('signal', False):
>> +        data = prof_data['signal'].get_clean(depth)
>>      return data
>>
>>  def write_ptrace_rules(prof_data, depth, allow):
>> === modified file ./utils/apparmor/rules.py
>> --- utils/apparmor/rules.py     2014-12-17 00:54:04.150444000 +0100
>> +++ utils/apparmor/rules.py     2015-10-22 23:39:29.592585653 +0200
>> @@ -71,9 +71,6 @@
>>  class Raw_Mount_Rule(_Raw_Rule):
>>      pass
>>
>> -class Raw_Signal_Rule(_Raw_Rule):
>> -    pass
>> -
>>  class Raw_Ptrace_Rule(_Raw_Rule):
>>      pass
>>
>> === modified file ./utils/test/test-parser-simple-tests.py
>> --- utils/test/test-parser-simple-tests.py      2015-10-20
>> 23:43:11.058010000 +0200
>> +++ utils/test/test-parser-simple-tests.py      2015-10-23
>> 01:09:18.228609114 +0200
>> @@ -134,27 +134,7 @@
>>      'ptrace/bad_07.sd',
>>      'ptrace/bad_08.sd',
>>      'ptrace/bad_10.sd',
>> -    'signal/bad_01.sd',
>> -    'signal/bad_02.sd',
>> -    'signal/bad_03.sd',
>> -    'signal/bad_04.sd',
>> -    'signal/bad_05.sd',
>> -    'signal/bad_06.sd',
>> -    'signal/bad_07.sd',
>> -    'signal/bad_08.sd',
>> -    'signal/bad_09.sd',
>> -    'signal/bad_10.sd',
>> -    'signal/bad_11.sd',
>> -    'signal/bad_12.sd',
>> -    'signal/bad_13.sd',
>> -    'signal/bad_14.sd',
>> -    'signal/bad_15.sd',
>> -    'signal/bad_16.sd',
>> -    'signal/bad_17.sd',
>> -    'signal/bad_18.sd',
>> -    'signal/bad_19.sd',
>> -    'signal/bad_20.sd',
>> -    'signal/bad_21.sd',
>> +    'signal/bad_21.sd',  # invalid regex
>>      'unix/bad_attr_1.sd',
>>      'unix/bad_attr_2.sd',
>>      'unix/bad_attr_3.sd',
>>
>> Its so nice to see much of this code finally removed, with the new class
> based rules.
>
> Thanks for the patch.
>
> Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>
>
>
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>

>
>> Regards,
>>
>> Christian Boltz
>> --
>> Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version
>> bestimmen können... ;)        [Patrick Ben Koetter in postfixbuch-users]
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>
>
>
> --
> Regards,
>
> Kshitij Gupta
>



-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151119/7dec1074/attachment-0001.html>

More information about the AppArmor mailing list