[apparmor] [patch] [18/38] Re-add globbing support for file rules to aa-logprof
Christian Boltz
apparmor at cboltz.de
Fri Aug 12 20:57:41 UTC 2016
Hello,
$subject.
This change also needs some other changes in ask_the_questions():
- set q.options and q.selected inside the loop (because glob() and
glob_ext() add another option)
- set 'selection' outside the if block to avoid doing it in nearly every
if branch
- make sure to add the selected rule, not just rule_obj (which doesn't
contain a modified, for example globbed, rule)
- skip 'deny' if an #include is selected
- re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching
to FileRule)
- add selection_to_rule_obj() helper function
- add glob and glob with ext buttons in available_buttons() if
rule_obj.can_glob or rule_obj.can_glob_ext
Also apply the changes in ask_the_questions() to aa-mergeprof to keep it
in sync with aa.py, and disable the old path handling in aa-mergeprof.
Note: in its current state, aa-mergeprof will ask for some "superfluous"
file permissions, and doesn't check for 'x' conflicts. One of the
following patches will fix that.
[ 18-re-add-globbing-to-logprof.diff ]
=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof 2016-03-28 19:59:06.747495905 +0200
+++ utils/aa-mergeprof 2016-03-28 20:00:21.247141040 +0200
@@ -18,8 +18,8 @@
import apparmor.cleanprofile as cleanprofile
import apparmor.ui as aaui
-from apparmor.aa import (available_buttons, combine_name, delete_duplicates,
- get_profile_filename, is_known_rule, match_includes)
+from apparmor.aa import (add_to_options, available_buttons, combine_name, delete_duplicates,
+ get_profile_filename, is_known_rule, match_includes, selection_to_rule_obj)
from apparmor.common import AppArmorException
from apparmor.regex import re_match_include
@@ -320,7 +320,9 @@
# Process all the path entries.
for allow in ['allow', 'deny']:
- for path in sorted(other.aa[profile][hat][allow]['path'].keys()):
+ if False: # XXX
+ #for path in sorted(other.aa[profile][hat][allow]['path'].keys()):
+ path = None # XXX needed to keep 'make check' happy
#print(path, other.aa[profile][hat][allow]['path'][path])
mode = other.aa[profile][hat][allow]['path'][path]['mode']
@@ -647,11 +649,11 @@
options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes))))
options.append(rule_obj.get_clean())
- q.options = options
- q.selected = default_option - 1
done = False
while not done:
+ q.options = options
+ q.selected = default_option - 1
q.headers = [_('Profile'), combine_name(profile, hat)]
q.headers += rule_obj.logprof_header()
@@ -664,6 +666,7 @@
q.default = q.functions[0]
ans, selected = q.promptUser()
+ selection = options[selected]
if ans == 'CMD_IGNORE_ENTRY':
done = True
break
@@ -686,8 +689,6 @@
done = True
changed[profile] = True
- selection = options[selected]
-
inc = re_match_include(selection)
if inc:
deleted = delete_duplicates(aa[profile][hat], inc)
@@ -699,18 +700,36 @@
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else:
+ rule_obj = selection_to_rule_obj(rule_obj, selection)
aa[profile][hat][ruletype].add(rule_obj)
aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
elif ans == 'CMD_DENY':
- done = True
- changed[profile] = True
+ if re_match_include(selection):
+ aaui.UI_Important("Denying via an include file isn't supported by the AppArmor tools")
+
+ else:
+ done = True
+ changed[profile] = True
+
+ rule_obj = selection_to_rule_obj(rule_obj, selection)
+ rule_obj.deny = True
+ rule_obj.raw_rule = None # reset raw rule after manually modifying rule_obj
+ aa[profile][hat][ruletype].add(rule_obj)
+ aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
- rule_obj.deny = True
- rule_obj.raw_rule = None # reset raw rule after manually modifying rule_obj
- aa[profile][hat][ruletype].add(rule_obj)
- aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
+ elif ans == 'CMD_GLOB':
+ if not re_match_include(selection):
+ globbed_rule_obj = selection_to_rule_obj(rule_obj, selection)
+ globbed_rule_obj.glob()
+ options, default_option = add_to_options(options, globbed_rule_obj.get_raw())
+
+ elif ans == 'CMD_GLOBEXT':
+ if not re_match_include(selection):
+ globbed_rule_obj = selection_to_rule_obj(rule_obj, selection)
+ globbed_rule_obj.glob_ext()
+ options, default_option = add_to_options(options, globbed_rule_obj.get_raw())
else:
done = False
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2016-03-28 19:59:06.747495905 +0200
+++ utils/apparmor/aa.py 2016-03-28 19:42:02.839188332 +0200
@@ -1550,13 +1550,13 @@
options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes))))
options.append(rule_obj.get_clean())
- q.options = options
- q.selected = default_option - 1
seen_events += 1
done = False
while not done:
+ q.options = options
+ q.selected = default_option - 1
q.headers = [_('Profile'), combine_name(profile, hat)]
q.headers += rule_obj.logprof_header()
@@ -1575,6 +1575,8 @@
q.default = 'CMD_ALLOW'
ans, selected = q.promptUser()
+ selection = options[selected]
+
if ans == 'CMD_IGNORE_ENTRY':
done = True
break
@@ -1597,8 +1599,6 @@
done = True
changed[profile] = True
- selection = options[selected]
-
inc = re_match_include(selection)
if inc:
deleted = delete_duplicates(aa[profile][hat], inc)
@@ -1610,23 +1610,45 @@
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else:
+ rule_obj = selection_to_rule_obj(rule_obj, selection)
aa[profile][hat][ruletype].add(rule_obj)
aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
elif ans == 'CMD_DENY':
- done = True
- changed[profile] = True
+ if re_match_include(selection):
+ aaui.UI_Important("Denying via an include file isn't supported by the AppArmor tools")
+
+ else:
+ done = True
+ changed[profile] = True
- rule_obj.deny = True
- rule_obj.raw_rule = None # reset raw rule after manually modifying rule_obj
- aa[profile][hat][ruletype].add(rule_obj)
- aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
+ rule_obj = selection_to_rule_obj(rule_obj, selection)
+ rule_obj.deny = True
+ rule_obj.raw_rule = None # reset raw rule after manually modifying rule_obj
+ aa[profile][hat][ruletype].add(rule_obj)
+ aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
+
+ elif ans == 'CMD_GLOB':
+ if not re_match_include(selection):
+ globbed_rule_obj = selection_to_rule_obj(rule_obj, selection)
+ globbed_rule_obj.glob()
+ options, default_option = add_to_options(options, globbed_rule_obj.get_raw())
+
+ elif ans == 'CMD_GLOBEXT':
+ if not re_match_include(selection):
+ globbed_rule_obj = selection_to_rule_obj(rule_obj, selection)
+ globbed_rule_obj.glob_ext()
+ options, default_option = add_to_options(options, globbed_rule_obj.get_raw())
else:
done = False
# END of code (mostly) shared with aa-mergeprof
+def selection_to_rule_obj(rule_obj, selection):
+ rule_type = type(rule_obj)
+ return rule_type.parse(selection)
+
def ask_the_questions_OLD_FILE_CODE(): # XXX unused
global seen_events
# Process all the path entries.
@@ -1932,6 +1954,12 @@
buttons += ['CMD_DENY', 'CMD_IGNORE_ENTRY']
+ if rule_obj.can_glob:
+ buttons += ['CMD_GLOB']
+
+ if rule_obj.can_glob_ext:
+ buttons += ['CMD_GLOBEXT']
+
if rule_obj.audit:
buttons += ['CMD_AUDIT_OFF']
else:
Regards,
Christian Boltz
--
Always file a bug: if it's not in Bugzilla, then it's not there ;)
[Pascal Bleser in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/a5cf74ca/attachment.pgp>
More information about the AppArmor
mailing list