[apparmor] [patch] [08/38] Drop dead code in aa.py handle_children()
Christian Boltz
apparmor at cboltz.de
Fri Aug 12 20:48:13 UTC 2016
Hello,
The 'exec' handling in handle_children starts with
if do_execute:
if profile_known_exec(...)
continue
which means if profile_known_exec() returns True, the rest of the loop
will be skipped. profile_known_exec() will return True if it finds an
exec rule in the profile or an include (independent of the exec type,
and (thanks to rematchfrag()) even if the path is globbed.
Later in the loop, there are checks for various exec modes - but those
checks can only be reached without an existing x rule, so they'll never
be hit.
This patch removes the dead code in the handle_children() / 'exec' / 'no
existing x rule found' section.
I confirmed that this code is really dead by
a) reading the code and, after being confused
b) two manual aa-logprof runs with coverage enabled - in one of them, I
added some ix, Px and Cx rules, and in the second one, no more exec
rules were needed/asked.
After dropping the dead code, combinedmode and combinedaudit are no
longer used, so we can also drop the code that sets those variables.
Sidenote: this patch drops 2% of the lines in aa.py ;-)
[ 08-handle-children-drop-dead-code.diff ]
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2016-01-25 22:45:25 +0000
+++ utils/apparmor/aa.py 2016-02-04 00:19:29 +0000
@@ -36,7 +36,7 @@
import apparmor.ui as aaui
-from apparmor.aamode import (str_to_mode, mode_to_str, contains, split_mode,
+from apparmor.aamode import (str_to_mode, mode_to_str, split_mode,
mode_to_str_user, mode_contains, AA_OTHER,
flatten_mode, owner_flatten_mode)
@@ -1208,106 +1208,12 @@
context_new = context_new + '^%s' % hat
context_new = context_new + ' -> %s' % exec_target
- combinedmode = set()
- combinedaudit = set()
- ## Check return Value Consistency
- # Check if path matches any existing regexps in profile
- cm, am, m = rematchfrag(aa[profile][hat], 'allow', exec_target)
- if cm:
- combinedmode |= cm
- if am:
- combinedaudit |= am
-
- if combinedmode & str_to_mode('x'):
- nt_name = None
- for entr in m:
- if aa[profile][hat]['allow']['path'].get(entr, False):
- nt_name = entr
- break
- if to_name and to_name != nt_name:
- pass
- elif nt_name:
- to_name = nt_name
- ## Check return value consistency
- # Check if the includes from profile match
- cm, am, m = match_prof_incs_to_path(aa[profile][hat], 'allow', exec_target)
- if cm:
- combinedmode |= cm
- if am:
- combinedaudit |= am
- if combinedmode & str_to_mode('x'):
- nt_name = None
- for entr in m:
- if aa[profile][hat]['allow']['path'][entry]['to']:
- nt_name = aa[profile][hat]['allow']['path'][entry]['to']
- break
- if to_name and to_name != nt_name:
- pass
- elif nt_name:
- to_name = nt_name
-
# nx is not used in profiles but in log files.
# Log parsing methods will convert it to its profile form
# nx is internally cx/px/cix/pix + to_name
exec_mode = False
- if contains(combinedmode, 'pix'):
- if to_name:
- ans = 'CMD_nix'
- else:
- ans = 'CMD_pix'
- exec_mode = str_to_mode('pixr')
- elif contains(combinedmode, 'cix'):
- if to_name:
- ans = 'CMD_nix'
- else:
- ans = 'CMD_cix'
- exec_mode = str_to_mode('cixr')
- elif contains(combinedmode, 'Pix'):
- if to_name:
- ans = 'CMD_nix_safe'
- else:
- ans = 'CMD_pix_safe'
- exec_mode = str_to_mode('Pixr')
- elif contains(combinedmode, 'Cix'):
- if to_name:
- ans = 'CMD_nix_safe'
- else:
- ans = 'CMD_cix_safe'
- exec_mode = str_to_mode('Cixr')
- elif contains(combinedmode, 'ix'):
- ans = 'CMD_ix'
- exec_mode = str_to_mode('ixr')
- elif contains(combinedmode, 'px'):
- if to_name:
- ans = 'CMD_nx'
- else:
- ans = 'CMD_px'
- exec_mode = str_to_mode('px')
- elif contains(combinedmode, 'cx'):
- if to_name:
- ans = 'CMD_nx'
- else:
- ans = 'CMD_cx'
- exec_mode = str_to_mode('cx')
- elif contains(combinedmode, 'ux'):
- ans = 'CMD_ux'
- exec_mode = str_to_mode('ux')
- elif contains(combinedmode, 'Px'):
- if to_name:
- ans = 'CMD_nx_safe'
- else:
- ans = 'CMD_px_safe'
- exec_mode = str_to_mode('Px')
- elif contains(combinedmode, 'Cx'):
- if to_name:
- ans = 'CMD_nx_safe'
- else:
- ans = 'CMD_cx_safe'
- exec_mode = str_to_mode('Cx')
- elif contains(combinedmode, 'Ux'):
- ans = 'CMD_ux_safe'
- exec_mode = str_to_mode('Ux')
- else:
+
+ if True:
options = cfg['qualifiers'].get(exec_target, 'ipcnu')
if to_name:
fatal_error(_('%s has transition name but not transition mode') % entry)
Regards,
Christian Boltz
--
Meine Rechner sind seit einem Jahr ein Naturschutzgebiet
für Pinguine. ;)) [Michael Raab in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/47cc0738/attachment.pgp>
More information about the AppArmor
mailing list