<div dir="ltr">Hello, <div class="gmail_extra"> <div class="gmail_quote">On Wed, Apr 15, 2015 at 3:07 AM, Christian Boltz <<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello, this patch adds utils/apparmor/rule/network.py with the NetworkRule and NetworkRuleset classes. These classes are meant to handle network rules. In comparison to the existing code in aa.py, relevant news are: - the keywords are checked against a list of allowed domains, types and protocols (these lists are based on what the utils/vim/Makefile generates - on the long term an autogenerated file with the keywords for all rule types would be nice ;-) </blockquote><div>In theory you can have a script generate a python module that solely contains these keywords, which can be imported in here. Sounds pretty trivial ;-) </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> - there are variables for domain and type_or_protocol instead of first_param and second_param. (If someone is bored enough to map the protocol "shortcuts" to their expanded meaning, that shouldn't be too hard.) - (obviously) more readable code because we have everything at one place now </blockquote><div>yay! </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> - some bugs are fixed along the way (for example, "network foo" will now be kept, not "network foo bar" - see my last mail about write_net_rules() for details) [ 44-add-NetworkRule-and-NetworkRuleset-classes.diff ] === added file 'utils/apparmor/rule/network.py' --- utils/apparmor/rule/network.py 1970-01-01 00:00:00 +0000 +++ utils/apparmor/rule/network.py 2015-04-14 20:47:40 +0000 @@ -0,0 +1,210 @@ +#!/usr/bin/env python +# ---------------------------------------------------------------------- +# Copyright (C) 2013 Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com">kgupta8592@gmail.com</a>> +# Copyright (C) 2015 Christian Boltz <<a href="mailto:apparmor@cboltz.de">apparmor@cboltz.de</a>> +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# ---------------------------------------------------------------------- + +import re + +from apparmor.regex import RE_PROFILE_NETWORK +from apparmor.common import AppArmorBug, AppArmorException +from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers + +# setup module translations +from apparmor.translations import init_translation +_ = init_translation() + + +network_domain_keywords = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', + 'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna', + 'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet', + 'ieee802154', 'caif', 'alg', 'nfc', 'vsock' ] + # missing in manpage: 'unix', 'rds', 'llc', 'can', 'tipc', 'iucv', 'rxrpc', 'isdn', 'phonet', 'ieee802154', 'caif', 'alg', 'nfc', 'vsock' + </blockquote><div>comments from others on the missing types? </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> +network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet'] +network_protocol_keywords = ['tcp', 'udp', 'icmp'] + + +RE_NETWORK_DOMAIN = '(' + '|'.join(network_domain_keywords) + ')' +RE_NETWORK_TYPE = '(' + '|'.join(network_type_keywords) + ')' +RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')' </blockquote><div>neat! </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + +RE_NETWORK_DETAILS = re.compile( + '^\s*(' + + '(?P<domain>' + RE_NETWORK_DOMAIN + ')(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' + # domain, optional type or protocol </blockquote><div>exercising new/larger monitor privileges? ;-) </div><div>can be split into two lines I think. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + '|' + # or + '(?P<protocol>' + RE_NETWORK_PROTOCOL + ')' + # protocol only + ')\s*$') </blockquote><div>The leading and trailing \s* become superfluous as __parse has: rule_details = matches.group('details').strip() </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + + + + + + </blockquote><div>what is the standard for whitespace separation? 7 seems a bit much. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> +class NetworkRule(BaseRule): + '''Class to handle and store a single network rule''' + + # Nothing external should reference this class, all external users + # should reference the class field NetworkRule.ALL + class __NetworkAll(object): + pass + </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + ALL = __NetworkAll + + def __init__(self, domain, type_or_protocol, audit=False, deny=False, allow_keyword=False, + comment='', log_event=None): + + ''' + NETWORK RULE = 'network' [ [ DOMAIN [ TYPE | PROTOCOL ] ] | [ PROTOCOL ] ] ',' + ''' + + super(NetworkRule, self).__init__(audit=audit, deny=deny, + allow_keyword=allow_keyword, + comment=comment, + log_event=log_event) + + self.domain = None + self.all_domains = False + if domain == NetworkRule.ALL: + self.all_domains = True + elif type(domain) == str: + if domain in network_domain_keywords: + self.domain = domain + else: + raise AppArmorBug('Passed unknown domain to NetworkRule: %s' % str(domain)) </blockquote><div>str(domain) is unnecessary, as type of domain is known to be str. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + else: + raise AppArmorBug('Passed unknown object to NetworkRule: %s' % str(domain)) + + self.type_or_protocol = None + self.all_type_or_protocols = False + if type_or_protocol == NetworkRule.ALL: + self.all_type_or_protocols = True + elif type(type_or_protocol) == str: + if type_or_protocol in network_protocol_keywords: + self.type_or_protocol = type_or_protocol + elif type_or_protocol in network_type_keywords: + if self.all_domains: + raise AppArmorException('Passing type %s to NetworkRule without specifying a domain keyword is not allowed' % str(type_or_protocol)) </blockquote><div> </div><div>str(type_or_protocol) not required. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + self.type_or_protocol = type_or_protocol + else: + raise AppArmorBug('Passed unknown type_or_protocol to NetworkRule: %s' % str(type_or_protocol)) </blockquote><div>str(type_or_protocol) not required. #copy paste reviews </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + else: + raise AppArmorBug('Passed unknown object to NetworkRule: %s' % str(type_or_protocol)) + + @classmethod + def _parse(cls, raw_rule): + '''parse raw_rule and return NetworkRule''' + + matches = RE_PROFILE_NETWORK.search(raw_rule) + if not matches: + raise AppArmorException(_("Invalid network rule '%s'") % raw_rule) + + audit, deny, allow_keyword, comment = parse_modifiers(matches) + + rule_details = '' + if matches.group('details'): + rule_details = matches.group('details').strip() + + if rule_details: + details = RE_NETWORK_DETAILS.search(rule_details) + if not details: + raise AppArmorException(_("Invalid or unknown keywords in 'network %s" % rule_details)) + + if details.group('domain'): + domain = details.group('domain') + else: + domain = NetworkRule.ALL + + if details.group('type_or_protocol'): + type_or_protocol = details.group('type_or_protocol') + elif details.group('protocol'): + type_or_protocol = details.group('protocol') + else: + type_or_protocol = NetworkRule.ALL + else: + domain = NetworkRule.ALL + type_or_protocol = NetworkRule.ALL + + return NetworkRule(domain, type_or_protocol, + audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment) + + def get_clean(self, depth=0): + '''return rule (in clean/default formatting)''' + + space = ' ' * depth + + if self.all_domains: + domain = '' + elif self.domain: + domain = ' %s' % self.domain + else: + raise AppArmorBug('Empty domain in network rule') + + if self.all_type_or_protocols: + type_or_protocol = '' + elif self.type_or_protocol: + type_or_protocol = ' %s' % self.type_or_protocol + else: + raise AppArmorBug('Empty type or protocol in network rule') + + return('%s%snetwork%s%s,%s' % (space, self.modifiers_str(), domain, type_or_protocol, self.comment)) + + def is_covered_localvars(self, other_rule): + '''check if other_rule is covered by this rule object''' + + if not other_rule.domain and not other_rule.all_domains: + raise AppArmorBug('No domain specified in other network rule') + + if not other_rule.type_or_protocol and not other_rule.all_type_or_protocols: + raise AppArmorBug('No type or protocol specified in other network rule') + + if not self.all_domains: + if other_rule.all_domains: + return False + if other_rule.domain != self.domain: + return False + + if not self.all_type_or_protocols: + if other_rule.all_type_or_protocols: + return False + if other_rule.type_or_protocol != self.type_or_protocol: + return False + + # still here? -> then it is covered + return True + + def is_equal_localvars(self, rule_obj): + '''compare if rule-specific variables are equal''' + + if not type(rule_obj) == NetworkRule: + raise AppArmorBug('Passes non-network rule: %s' % str(rule_obj)) </blockquote><div>Passes or Passed? </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> + + if (self.domain != rule_obj.domain + or self.all_domains != rule_obj.all_domains): + return False + + if (self.type_or_protocol != rule_obj.type_or_protocol + or self.all_type_or_protocols != rule_obj.all_type_or_protocols): + return False + + return True + + +class NetworkRuleset(BaseRuleset): + '''Class to handle and store a collection of network rules''' + + def get_glob(self, path_or_rule): + '''Return the next possible glob. For network rules, that's "network DOMAIN," or "network," (all network)''' + # XXX return 'network DOMAIN,' + return 'network,' </blockquote><div>Thanks. </div><div>Regards, </div><div>Kshitij Gupta </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Regards, Christian Boltz -- We break the translation consistently (wow, consistent break, I like that wording) [from <a href="https://bugzilla.novell.com/show_bug.cgi?id=165509" target="_blank">https://bugzilla.novell.com/show_bug.cgi?id=165509</a>] -- AppArmor mailing list <a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a> </blockquote></div> </div></div>