<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Apr 18, 2015 at 3:00 AM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
Am Donnerstag, 16. April 2015 schrieb Kshitij Gupta:<br>
<div><div class="h5">> On Wed, Apr 15, 2015 at 3:11 AM, Christian Boltz wrote:<br>
> > Change aa.py to use NetworkRule and NetworkRuleset instead of a<br>
> > sub-hasher to store, check and write network rules. In detail:<br>
> > - drop profile_known_network() and use is_known_rule() instead<br>
> > - replace match_net_includes() usage with match_includes() calls<br>
> > - drop delete_net_duplicates(), use the code in NetworkRule(set)<br>
> > instead - make match_net_includes() (still used by aa-mergeprof) a<br>
> > wrapper for><br>
> > match_includes()<br>
> ><br>
> > - drop all the network rule parsing from parse_profile_data() and<br>
> ><br>
> > serialize_profile_from_old_profile() - instead, just call<br>
> > NetworkRule.parse<br>
> ><br>
> > - now that write_net_rules() got fixed, drop it ;-)<br>
><br>
> ;-)<br>
><br>
> > - change write_netdomain to use NetworkRuleset<br>
> > - drop netrules_access_check() - that's is_covered() now<br>
> > - use 'network' instead of 'netdomain' as storage keyword (log<br>
> > events<br>
> ><br>
> > still use 'netdomain')<br>
> ><br>
> > Also update cleanprofile.py to use the NetworkRuleset class.<br>
> > This also means to delete the (now superfluous)<br>
> > delete_net_duplicates() function.<br>
> ><br>
> > Finally, there are some changes in regex.py:<br>
> > - change RE_PROFILE_NETWORK in regex.py to named matches and to use<br>
> ><br>
> > RE_COMMA_EOL (not only RE_EOL)<br>
> ><br>
> > - drop the no longer needed RE_NETWORK_FAMILY and<br>
> > RE_NETWORK_FAMILY_TYPE><br>
> > (rule/network.py has regexes that check against the list of<br>
> > available<br>
> > keywords)<br>
> ><br>
> > Note: Some parts of this patch will only apply if you apply my other<br>
> > pending patches first.<br>
<br>
</div></div><span class="">> > [ 46-convert-to-use-NetworkRule.diff ]<br>
> ><br>
> > === modified file 'utils/apparmor/aa.py'<br>
> > --- utils/apparmor/aa.py 2015-04-11 00:20:31 +0000<br>
> > +++ utils/apparmor/aa.py 2015-04-11 18:04:51 +0000<br>
> > @@ -45,7 +45,7 @@<br>
> ><br>
> > RE_PROFILE_BOOLEAN,<br>
> > RE_PROFILE_VARIABLE,<br>
> ><br>
> > RE_PROFILE_CONDITIONAL,<br>
> ><br>
> > RE_PROFILE_CONDITIONAL_VARIABLE,<br>
> ><br>
> > RE_PROFILE_CONDITIONAL_BOOLEAN,<br>
> ><br>
> > RE_PROFILE_BARE_FILE_ENTRY,<br>
> ><br>
> > RE_PROFILE_PATH_ENTRY, RE_PROFILE_NETWORK,<br>
> > - RE_NETWORK_FAMILY_TYPE,<br>
> > RE_NETWORK_FAMILY, RE_PROFILE_CHANGE_HAT,<br>
> > + RE_PROFILE_CHANGE_HAT,<br>
><br>
> maybe move the other import to this line. half of the empty line looks<br>
> odd.<br>
<br>
</span>I expect more changes in the RE_* imports in the not-too-distant future,<br>
therefore I prefer a clean patch over a strange line length ;-)<br>
<span class=""><br>
> > @@ -54,6 +54,7 @@<br>
> ><br>
> > import apparmor.rules as aarules<br>
> ><br>
> > from apparmor.rule.capability import CapabilityRuleset,<br>
> > CapabilityRule><br>
> > +from apparmor.rule.network import NetworkRuleset, NetworkRule<br>
><br>
> strange extra spacing before import and after comma? or is it my mail<br>
> client?<br>
><br>
> from apparmor.rule import parse_modifiers<br>
<br>
</span>I added the spaces to have "columns" for the apparmor.rule.* classes.<br>
It probably looks better when viewed with a fixed-width font ;-)<br>
<span class=""><br>
> > + # init rule class (if not done yet)<br>
> > + if not profile_data[profile][hat].get('network',<br>
> > False):<br>
> > + profile_data[profile][hat]['network'] =<br>
> > CapabilityRuleset()<br>
><br>
> Wrong Ruleset type, as mentioned on IRC.<br>
<br>
</span>Good catch (even if it doesn't change anything in practice currently<br>
because the only difference in the *Ruleset classes is the (unused)<br>
get_glob() function).<br>
<br>
I also added a note to my TODO list that *Ruleset.add() should check<br>
the type of the added rule.<br>
<span class=""><br>
> The patch in general looks good in general (subject to preceding two<br>
> patches being ack-ed).<br>
><br>
> BTW is this patch proposed for 2.9 too?<br>
<br>
</span>I won't object, but currently 2.9 doesn't have apparmor/rule/ at all.<br>
This means we'd need to backport more than just this patchset, and that<br>
is a quite intrusive change.<br>
<br>
Until now, Steve didn't like that too much - but fixing of the remaining<br>
bugs around network rules might be a good reason ;-) (but not for 2.9.2)<br>
<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
That all said - here's the updated patch:<br>
<span class=""><br>
<br>
[ 46-convert-to-use-NetworkRule.diff ]<br>
<br>
=== modified file utils/apparmor/aa.py<br>
</span>--- utils/apparmor/aa.py 2015-04-17 23:11:43.386148237 +0200<br>
+++ utils/apparmor/aa.py 2015-04-17 22:57:13.635197629 +0200<br>
<span class="">@@ -45,7 +45,7 @@<br>
RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL,<br>
RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,<br>
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY, RE_PROFILE_NETWORK,<br>
- RE_NETWORK_FAMILY_TYPE, RE_NETWORK_FAMILY, RE_PROFILE_CHANGE_HAT,<br>
+ RE_PROFILE_CHANGE_HAT,<br>
</span><span class=""> RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,<br>
RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,<br>
RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,<br>
@@ -54,6 +54,7 @@<br>
import apparmor.rules as aarules<br>
<br>
from apparmor.rule.capability import CapabilityRuleset, CapabilityRule<br>
+from apparmor.rule.network import NetworkRuleset, NetworkRule<br>
</span><div><div class="h5"> from apparmor.rule import parse_modifiers<br>
<br>
from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast<br>
@@ -1450,8 +1451,6 @@<br>
if stub_profile[hat][hat].get('include', False):<br>
aa[profile][hat]['include'] = stub_profile[hat][hat]['include']<br>
<br>
- aa[profile][hat]['allow']['netdomain'] = hasher()<br>
-<br>
file_name = aa[profile][profile]['filename']<br>
filelist[file_name]['profiles'][profile][hat] = True<br>
<br>
@@ -1958,11 +1957,12 @@<br>
for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):<br>
# severity handling for net toggles goes here<br>
for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):<br>
- if profile_known_network(aa[profile][hat], family, sock_type):<br>
+ network_obj = NetworkRule(family, sock_type)<br>
+ if is_known_rule(aa[profile][hat], 'network', network_obj):<br>
continue<br>
default_option = 1<br>
options = []<br>
- newincludes = match_net_includes(aa[profile][hat], family, sock_type)<br>
+ newincludes = match_includes(aa[profile][hat], 'network', network_obj)<br>
q = aaui.PromptQuestion()<br>
if newincludes:<br>
options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))<br>
@@ -2031,8 +2031,7 @@<br>
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)<br>
<br>
else:<br>
- aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle<br>
- aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True<br>
+ aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle))<br>
<br>
changed[profile] = True<br>
<br>
@@ -2040,7 +2039,7 @@<br>
<br>
elif ans == 'CMD_DENY':<br>
done = True<br>
- aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True<br>
+ aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle, deny=True))<br>
changed[profile] = True<br>
aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type })<br>
<br>
@@ -2103,31 +2102,6 @@<br>
newpath = re.sub('/[^/]+(\.[^/]+)$', '/*' + match.groups()[0], newpath)<br>
return newpath<br>
<br>
-def delete_net_duplicates(netrules, incnetrules):<br>
- deleted = 0<br>
- hasher_obj = hasher()<br>
- copy_netrules = deepcopy(netrules)<br>
- if incnetrules and netrules:<br>
- incnetglob = False<br>
- # Delete matching rules from abstractions<br>
- if incnetrules.get('all', False):<br>
- incnetglob = True<br>
- for fam in copy_netrules['rule'].keys():<br>
- if incnetglob or (type(incnetrules['rule'][fam]) != type(hasher_obj) and incnetrules['rule'][fam]):<br>
- if type(netrules['rule'][fam]) == type(hasher_obj):<br>
- deleted += len(netrules['rule'][fam].keys())<br>
- else:<br>
- deleted += 1<br>
- netrules['rule'].pop(fam)<br>
- elif type(netrules['rule'][fam]) != type(hasher_obj) and netrules['rule'][fam]:<br>
- continue<br>
- else:<br>
- for socket_type in copy_netrules['rule'][fam].keys():<br>
- if incnetrules['rule'][fam].get(socket_type, False):<br>
- netrules['rule'][fam].pop(socket_type)<br>
- deleted += 1<br>
- return deleted<br>
-<br>
def delete_path_duplicates(profile, incname, allow):<br>
deleted = []<br>
for entry in profile[allow]['path'].keys():<br>
@@ -2150,20 +2124,14 @@<br>
# only a subset allow rules may actually be denied<br>
<br>
if include.get(incname, False):<br>
- deleted += delete_net_duplicates(profile['allow']['netdomain'], include[incname][incname]['allow']['netdomain'])<br>
-<br>
- deleted += delete_net_duplicates(profile['deny']['netdomain'], include[incname][incname]['deny']['netdomain'])<br>
-<br>
+ deleted += profile['network'].delete_duplicates(include[incname][incname]['network'])<br>
deleted += profile['capability'].delete_duplicates(include[incname][incname]['capability'])<br>
<br>
deleted += delete_path_duplicates(profile, incname, 'allow')<br>
deleted += delete_path_duplicates(profile, incname, 'deny')<br>
<br>
elif filelist.get(incname, False):<br>
- deleted += delete_net_duplicates(profile['allow']['netdomain'], filelist[incname][incname]['allow']['netdomain'])<br>
-<br>
- deleted += delete_net_duplicates(profile['deny']['netdomain'], filelist[incname][incname]['deny']['netdomain'])<br>
-<br>
+ deleted += profile['network'].delete_duplicates(filelist[incname][incname]['network'])<br>
deleted += profile['capability'].delete_duplicates(filelist[incname][incname]['capability'])<br>
<br>
deleted += delete_path_duplicates(profile, incname, 'allow')<br>
@@ -2172,25 +2140,10 @@<br>
return deleted<br>
<br>
def match_net_include(incname, family, type):<br>
- includelist = [incname]<br>
- checked = []<br>
- name = None<br>
- if includelist:<br>
- name = includelist.pop(0)<br>
- while name:<br>
- checked.append(name)<br>
- if netrules_access_check(include[name][name]['allow']['netdomain'], family, type):<br>
- return True<br>
-<br>
- if include[name][name]['include'].keys() and name not in checked:<br>
- includelist += include[name][name]['include'].keys()<br>
-<br>
- if len(includelist):<br>
- name = includelist.pop(0)<br>
- else:<br>
- name = False<br>
</div></div><span class="">+ # still used by aa-mergeprof<br>
+ network_obj = NetworkRule(family, type)<br>
+ return match_includes(incname, 'network', network_obj)<br>
<br>
</span>- return False<br></blockquote><div>Strange. The ordering of added and removed lines changed between the 2 versions of the patches.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div class="h5"><br>
def match_cap_includes(profile, capability):<br>
# still used by aa-mergeprof<br>
@@ -2537,7 +2490,7 @@<br>
nd = prelog[aamode][profile][hat]['netdomain']<br>
for family in nd.keys():<br>
for sock_type in nd[family].keys():<br>
- if not profile_known_network(aa[profile][hat], family, sock_type):<br>
+ if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):<br>
log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True<br>
<br>
<br>
@@ -2713,7 +2666,7 @@<br>
<br>
profile_data[profile][hat]['flags'] = flags<br>
<br>
- profile_data[profile][hat]['allow']['netdomain'] = hasher()<br>
+ profile_data[profile][hat]['network'] = NetworkRuleset()<br>
profile_data[profile][hat]['allow']['path'] = hasher()<br>
profile_data[profile][hat]['allow']['dbus'] = list()<br>
profile_data[profile][hat]['allow']['mount'] = list()<br>
@@ -2963,34 +2916,14 @@<br>
load_include(include_name)<br>
<br>
elif RE_PROFILE_NETWORK.search(line):<br>
- matches = RE_PROFILE_NETWORK.search(line).groups()<br>
-<br>
if not profile:<br>
raise AppArmorException(_('Syntax Error: Unexpected network entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })<br>
<br>
- audit = False<br>
- if matches[0]:<br>
- audit = True<br>
- allow = 'allow'<br>
- if matches[1] and matches[1].strip() == 'deny':<br>
- allow = 'deny'<br>
- network = matches[2]<br>
+ # init rule class (if not done yet)<br>
+ if not profile_data[profile][hat].get('network', False):<br>
</div></div>+ profile_data[profile][hat]['network'] = NetworkRuleset()<br>
<span class=""><br>
- if RE_NETWORK_FAMILY_TYPE.search(network):<br>
- nmatch = RE_NETWORK_FAMILY_TYPE.search(network).groups()<br>
- fam, typ = nmatch[:2]<br>
- ##Simply ignore any type subrules if family has True (seperately for allow and deny)<br>
- ##This will lead to those type specific rules being lost when written<br>
- #if type(profile_data[profile][hat][allow]['netdomain']['rule'].get(fam, False)) == dict:<br>
- profile_data[profile][hat][allow]['netdomain']['rule'][fam][typ] = 1<br>
- profile_data[profile][hat][allow]['netdomain']['audit'][fam][typ] = audit<br>
- elif RE_NETWORK_FAMILY.search(network):<br>
- fam = RE_NETWORK_FAMILY.search(network).groups()[0]<br>
- profile_data[profile][hat][allow]['netdomain']['rule'][fam] = True<br>
- profile_data[profile][hat][allow]['netdomain']['audit'][fam] = audit<br>
- else:<br>
- profile_data[profile][hat][allow]['netdomain']['rule']['all'] = True<br>
- profile_data[profile][hat][allow]['netdomain']['audit']['all'] = audit # True<br>
+ profile_data[profile][hat]['network'].add(NetworkRule.parse(line))<br>
<br>
elif RE_PROFILE_DBUS.search(line):<br>
matches = RE_PROFILE_DBUS.search(line).groups()<br>
</span>@@ -3387,39 +3320,10 @@<br>
<div><div class="h5"> data = prof_data['capability'].get_clean(depth)<br>
return data<br>
<br>
-def write_net_rules(prof_data, depth, allow):<br>
- pre = ' ' * depth<br>
- data = []<br>
- allowstr = set_allow_str(allow)<br>
- audit = ''<br>
- if prof_data[allow].get('netdomain', False):<br>
- if prof_data[allow]['netdomain'].get('rule', False) == 'all':<br>
- if prof_data[allow]['netdomain']['audit'].get('all', False):<br>
- audit = 'audit '<br>
- data.append('%s%snetwork,' % (pre, audit))<br>
- else:<br>
- for fam in sorted(prof_data[allow]['netdomain']['rule'].keys()):<br>
- audit = ''<br>
- if prof_data[allow]['netdomain']['rule'][fam] is True:<br>
- if prof_data[allow]['netdomain']['audit'][fam]:<br>
- audit = 'audit '<br>
- if fam == 'all':<br>
- data.append('%s%s%snetwork,' % (pre, audit, allowstr))<br>
- else:<br>
- data.append('%s%s%snetwork %s,' % (pre, audit, allowstr, fam))<br>
- else:<br>
- for typ in sorted(prof_data[allow]['netdomain']['rule'][fam].keys()):<br>
- if prof_data[allow]['netdomain']['audit'][fam].get(typ, False):<br>
- audit = 'audit '<br>
- data.append('%s%s%snetwork %s %s,' % (pre, audit, allowstr, fam, typ))<br>
- if prof_data[allow].get('netdomain', False):<br>
- data.append('')<br>
-<br>
- return data<br>
-<br>
def write_netdomain(prof_data, depth):<br>
- data = write_net_rules(prof_data, depth, 'deny')<br>
- data += write_net_rules(prof_data, depth, 'allow')<br>
+ data = []<br>
+ if prof_data.get('network', False):<br>
+ data = prof_data['network'].get_clean(depth)<br>
return data<br>
<br>
def write_dbus_rules(prof_data, depth, allow):<br>
</div></div>@@ -3777,7 +3681,7 @@<br>
<span class=""> 'include': write_includes,<br>
'rlimit': write_rlimits,<br>
'capability': write_capabilities,<br>
- 'netdomain': write_netdomain,<br>
+ 'network': write_netdomain,<br>
'dbus': write_dbus,<br>
'mount': write_mount,<br>
'signal': write_signal,<br>
</span>@@ -3792,7 +3696,7 @@<br>
<span class=""> 'include',<br>
'rlimit',<br>
'capability',<br>
- 'netdomain',<br>
+ 'network',<br>
'dbus',<br>
'mount',<br>
'signal',<br>
</span>@@ -3808,7 +3712,7 @@<br>
<span class=""> 'include': False,<br>
'rlimit': False,<br>
'capability': False,<br>
- 'netdomain': False,<br>
+ 'network': False,<br>
'dbus': False,<br>
'mount': True, # not handled otherwise yet<br>
'signal': True, # not handled otherwise yet<br>
</span>@@ -4166,44 +4070,13 @@<br>
<div><div class="h5"> data.append(line)<br>
<br>
elif RE_PROFILE_NETWORK.search(line):<br>
- matches = RE_PROFILE_NETWORK.search(line).groups()<br>
- audit = False<br>
- if matches[0]:<br>
- audit = True<br>
- allow = 'allow'<br>
- if matches[1] and matches[1].strip() == 'deny':<br>
- allow = 'deny'<br>
- network = matches[2]<br>
- if RE_NETWORK_FAMILY_TYPE.search(network):<br>
- nmatch = RE_NETWORK_FAMILY_TYPE.search(network).groups()<br>
- fam, typ = nmatch[:2]<br>
- if write_prof_data[hat][allow]['netdomain']['rule'][fam][typ] and write_prof_data[hat][allow]['netdomain']['audit'][fam][typ] == audit:<br>
- write_prof_data[hat][allow]['netdomain']['rule'][fam].pop(typ)<br>
- write_prof_data[hat][allow]['netdomain']['audit'][fam].pop(typ)<br>
- data.append(line)<br>
- else:<br>
- correct = False<br>
-<br>
- elif RE_NETWORK_FAMILY.search(network):<br>
- fam = RE_NETWORK_FAMILY.search(network).groups()[0]<br>
- if write_prof_data[hat][allow]['netdomain']['rule'][fam] and write_prof_data[hat][allow]['netdomain']['audit'][fam] == audit:<br>
- write_prof_data[hat][allow]['netdomain']['rule'].pop(fam)<br>
- write_prof_data[hat][allow]['netdomain']['audit'].pop(fam)<br>
- data.append(line)<br>
- else:<br>
- correct = False<br>
- else:<br>
- if write_prof_data[hat][allow]['netdomain']['rule']['all'] and write_prof_data[hat][allow]['netdomain']['audit']['all'] == audit:<br>
- write_prof_data[hat][allow]['netdomain']['rule'].pop('all')<br>
- write_prof_data[hat][allow]['netdomain']['audit'].pop('all')<br>
- data.append(line)<br>
- else:<br>
- correct = False<br>
-<br>
- if correct:<br>
- if not segments['netdomain'] and True in segments.values():<br>
+ network_obj = NetworkRule.parse(line)<br>
+ if write_prof_data[hat]['network'].is_covered(network_obj, True, True):<br>
+ if not segments['network'] and True in segments.values():<br>
data += write_prior_segments(write_prof_data[name], segments, line)<br>
- segments['netdomain'] = True<br>
+ segments['network'] = True<br>
+ write_prof_data[hat]['network'].delete(network_obj)<br>
+ data.append(line)<br>
<br>
elif RE_PROFILE_CHANGE_HAT.search(line):<br>
matches = RE_PROFILE_CHANGE_HAT.search(line).groups()<br>
</div></div>@@ -4329,41 +4202,6 @@<br>
<div><div class="h5"><br>
return False<br>
<br>
-def profile_known_network(profile, family, sock_type):<br>
- if netrules_access_check(profile['deny']['netdomain'], family, sock_type):<br>
- return -1<br>
- if netrules_access_check(profile['allow']['netdomain'], family, sock_type):<br>
- return 1<br>
-<br>
- for incname in profile['include'].keys():<br>
- if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):<br>
- return -1<br>
- if netrules_access_check(include[incname][incname]['allow']['netdomain'], family, sock_type):<br>
- return 1<br>
-<br>
- return 0<br>
-<br>
-def netrules_access_check(netrules, family, sock_type):<br>
- if not netrules:<br>
- return 0<br>
- all_net = False<br>
- all_net_family = False<br>
- net_family_sock = False<br>
- if netrules['rule'].get('all', False):<br>
- all_net = True<br>
- if netrules['rule'].get(family, False) is True:<br>
- all_net_family = True<br>
- if (netrules['rule'].get(family, False) and<br>
- type(netrules['rule'][family]) == type(hasher()) and<br>
- sock_type in netrules['rule'][family].keys() and<br>
- netrules['rule'][family][sock_type]):<br>
- net_family_sock = True<br>
-<br>
- if all_net or all_net_family or net_family_sock:<br>
- return True<br>
- else:<br>
- return False<br>
-<br>
def reload_base(bin_path):<br>
if not check_for_apparmor():<br>
return None<br>
=== modified file utils/apparmor/cleanprofile.py<br>
</div></div>--- utils/apparmor/cleanprofile.py 2015-04-17 23:11:43.387148179 +0200<br>
+++ utils/apparmor/cleanprofile.py 2015-04-17 22:13:53.518974652 +0200<br>
<span class="">@@ -64,20 +64,18 @@<br>
apparmor.aa.load_include(inc)<br>
deleted += apparmor.aa.delete_duplicates(self.other.aa[program][hat], inc)<br>
<br>
- #Clean the duplicates of caps in other profile<br>
+ #Clean duplicate rules in other profile<br>
if not self.same_file:<br>
deleted += self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])<br>
+ deleted += self.other.aa[program][hat]['network'].delete_duplicates(self.profile.aa[program][hat]['network'])<br>
else:<br>
deleted += self.other.aa[program][hat]['capability'].delete_duplicates(None)<br>
+ deleted += self.other.aa[program][hat]['network'].delete_duplicates(None)<br>
<br>
#Clean the duplicates of path in other profile<br>
deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'allow', self.same_file)<br>
deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'deny', self.same_file)<br>
<br>
- #Clean the duplicates of net rules in other profile<br>
- deleted += delete_net_duplicates(self.profile.aa[program][hat]['allow']['netdomain'], self.other.aa[program][hat]['allow']['netdomain'], self.same_file)<br>
- deleted += delete_net_duplicates(self.profile.aa[program][hat]['deny']['netdomain'], self.other.aa[program][hat]['deny']['netdomain'], self.same_file)<br>
-<br>
return deleted<br>
<br>
def delete_path_duplicates(profile, profile_other, allow, same_profile=True):<br>
</span>@@ -110,33 +108,3 @@<br>
<div><div class="h5"><br>
return len(deleted)<br>
<br>
-def delete_net_duplicates(netrules, netrules_other, same_profile=True):<br>
- deleted = 0<br>
- hasher_obj = apparmor.aa.hasher()<br>
- if netrules_other and netrules:<br>
- netglob = False<br>
- # Delete matching rules<br>
- if netrules.get('all', False):<br>
- netglob = True<br>
- # Iterate over a copy of the rules in the other profile<br>
- for fam in list(netrules_other['rule'].keys()):<br>
- if netglob or (type(netrules['rule'][fam]) != type(hasher_obj) and netrules['rule'][fam]):<br>
- if not same_profile:<br>
- if type(netrules_other['rule'][fam]) == type(hasher_obj):<br>
- deleted += len(netrules_other['rule'][fam].keys())<br>
- else:<br>
- deleted += 1<br>
- netrules_other['rule'].pop(fam)<br>
- elif type(netrules_other['rule'][fam]) != type(hasher_obj) and netrules_other['rule'][fam]:<br>
- if type(netrules['rule'][fam]) != type(hasher_obj) and netrules['rule'][fam]:<br>
- if not same_profile:<br>
- netrules_other['rule'].pop(fam)<br>
- deleted += 1<br>
- else:<br>
- for sock_type in list(netrules_other['rule'][fam].keys()):<br>
- if netrules['rule'].get(fam, False):<br>
- if netrules['rule'][fam].get(sock_type, False):<br>
- if not same_profile:<br>
- netrules_other['rule'][fam].pop(sock_type)<br>
- deleted += 1<br>
- return deleted<br>
=== modified file utils/apparmor/regex.py<br>
</div></div>--- utils/apparmor/regex.py 2015-04-17 23:11:43.387148179 +0200<br>
+++ utils/apparmor/regex.py 2015-04-17 22:13:53.519974594 +0200<br>
<span class="">@@ -39,9 +39,7 @@<br>
RE_PROFILE_CONDITIONAL_BOOLEAN = re.compile('^\s*if\s+(not\s+)?defined\s+(\$\{?\w+\}?)\s*\{\s*(#.*)?$')<br>
RE_PROFILE_BARE_FILE_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + 'file' + RE_COMMA_EOL)<br>
RE_PROFILE_PATH_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + '(file\s+)?([\"@/].*?)\s+(\S+)(\s+->\s*(.*?))?' + RE_COMMA_EOL)<br>
-RE_PROFILE_NETWORK = re.compile(RE_AUDIT_DENY + 'network(.*)' + RE_EOL)<br>
-RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')<br>
-RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')<br>
+RE_PROFILE_NETWORK = re.compile(RE_AUDIT_DENY + 'network(?P<details>\s+.*)?' + RE_COMMA_EOL)<br>
RE_PROFILE_CHANGE_HAT = re.compile('^\s*\^(\"??.+?\"??)' + RE_COMMA_EOL)<br>
RE_PROFILE_HAT_DEF = re.compile('^\s*(\^|hat\s+)(?P<hat>\"??.+?\"??)\s+((flags=)?\((?P<flags>.+)\)\s+)*\{' + RE_EOL)<br>
RE_PROFILE_DBUS = re.compile(RE_AUDIT_DENY + '(dbus\s*,|dbus\s+[^#]*\s*,)' + RE_EOL)<br>
<br>
<br>
<br></span></blockquote><div>Thanks for the patch series, the cleanup and tests look nice!<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>.<br><br></div><div>Regards,<br><br></div><div>Kshitij Gupta<br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
</span>Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
Naja, nicht alles von IBM ist gut. Auch Microsoft hat außer Mäusen<br>
ja noch nichts bemerkenswertes produziert. [Olaf Kaluza in d.a.f.c]<br>
</font></span><div class=""><div class="h5"><br>
<br>
--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
</div></div></blockquote></div><br></div></div>