<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 5, 2015 at 6:56 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
this patch changes aa.py to use RlimitRule and RlimitRuleset instead of<br>
a sub-hasher to store and write rlimit rules. In detail:<br>
- drop all rlimit rule parsing from parse_profile_data() and<br>
  serialize_profile_from_old_profile() - instead, just call<br>
  RlimitRule.parse()<br>
- change write_rlimits() to use RlimitRuleset<br>
- add removal of superfluous/duplicate change_profile rules (the old<br>
  code didn't do this)<br>
- update the comment about aa[profile][hat] usage - rlimit and<br>
  change_profile are no longer dicts.<br>
<br>
Also cleanup RE_PROFILE_RLIMIT in regex.py - the parenthesis around<br>
'<=' are no longer needed.<br>
<br>
<br>
Note: This patch is quite small because aa-logprof doesn't ask for<br>
rlimit rules.<br>
<br>
I tested all changes manually with aa-cleanprof and aa-logprof (adding<br>
some file rules, rlimit rules kept unchanged)<br>
<br>
<br>
[ 44-use-RlimitRule.diff ]<br>
<br></blockquote><div>Thanks for the patch. Looks fine to me.<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>.    <br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
=== modified file utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py        2015-06-05 14:07:18.252686648 +0200<br>
+++ utils/apparmor/aa.py        2015-06-05 14:40:18.998189733 +0200<br>
@@ -41,7 +41,7 @@<br>
                              flatten_mode, owner_flatten_mode)<br>
<br>
 from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,<br>
-                            RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT,<br>
+                            RE_PROFILE_ALIAS,<br>
                             RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL,<br>
                             RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,<br>
                             RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,<br>
@@ -56,6 +56,7 @@<br>
 from apparmor.rule.capability import CapabilityRuleset, CapabilityRule<br>
 from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule<br>
 from apparmor.rule.network    import NetworkRuleset,    NetworkRule<br>
+from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule<br>
 from apparmor.rule import parse_modifiers, quote_if_needed<br>
<br>
 from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast<br>
@@ -104,7 +105,7 @@<br>
 transitions = hasher()<br>
<br>
 # keys used in aa[profile][hat]:<br>
-# a) rules (as dict): alias, change_profile, include, lvar, rlimit<br>
+# a) rules (as dict): alias, include, lvar<br>
 # b) rules (as hasher): allow, deny<br>
 # c) one for each rule class<br>
 # d) other: declared, external, flags, name, profile, attachment, initial_comment,<br>
@@ -2069,6 +2070,7 @@<br>
         deleted += profile['network'].delete_duplicates(include[incname][incname]['network'])<br>
         deleted += profile['capability'].delete_duplicates(include[incname][incname]['capability'])<br>
         deleted += profile['change_profile'].delete_duplicates(include[incname][incname]['change_profile'])<br>
+        deleted += profile['rlimit'].delete_duplicates(include[incname][incname]['rlimit'])<br>
<br>
         deleted += delete_path_duplicates(profile, incname, 'allow')<br>
         deleted += delete_path_duplicates(profile, incname, 'deny')<br>
@@ -2077,6 +2079,7 @@<br>
         deleted += profile['network'].delete_duplicates(filelist[incname][incname]['network'])<br>
         deleted += profile['capability'].delete_duplicates(filelist[incname][incname]['capability'])<br>
         deleted += profile['change_profile'].delete_duplicates(filelist[incname][incname]['change_profile'])<br>
+        deleted += profile['rlimit'].delete_duplicates(filelist[incname][incname]['rlimit'])<br>
<br>
         deleted += delete_path_duplicates(profile, incname, 'allow')<br>
         deleted += delete_path_duplicates(profile, incname, 'deny')<br>
@@ -2597,6 +2600,7 @@<br>
<br>
             profile_data[profile][hat]['network'] = NetworkRuleset()<br>
             profile_data[profile][hat]['change_profile'] = ChangeProfileRuleset()<br>
+            profile_data[profile][hat]['rlimit'] = RlimitRuleset()<br>
             profile_data[profile][hat]['allow']['path'] = hasher()<br>
             profile_data[profile][hat]['allow']['dbus'] = list()<br>
             profile_data[profile][hat]['allow']['mount'] = list()<br>
@@ -2688,16 +2692,15 @@<br>
                     filelist[file] = hasher()<br>
                 filelist[file]['alias'][from_name] = to_name<br>
<br>
-        elif RE_PROFILE_RLIMIT.search(line):<br>
-            matches = RE_PROFILE_RLIMIT.search(line).groups()<br>
-<br>
+        elif RlimitRule.match(line):<br>
             if not profile:<br>
                 raise AppArmorException(_('Syntax Error: Unexpected rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })<br>
<br>
-            from_name = matches[0]<br>
-            to_name = matches[2]<br>
+            # init rule class (if not done yet)<br>
+            if not profile_data[profile][hat].get('rlimit', False):<br>
+                profile_data[profile][hat]['rlimit'] = RlimitRuleset()<br>
<br>
-            profile_data[profile][hat]['rlimit'][from_name] = to_name<br>
+            profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line))<br>
<br>
         elif RE_PROFILE_BOOLEAN.search(line):<br>
             matches = RE_PROFILE_BOOLEAN.search(line)<br>
@@ -3227,7 +3230,10 @@<br>
     return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ', ',', quote_if_needed)<br>
<br>
 def write_rlimits(prof_data, depth):<br>
-    return write_pair(prof_data, depth, '', 'rlimit', 'set rlimit ', ' <= ', ',', quote_if_needed)<br>
+    data = []<br>
+    if prof_data.get('rlimit', False):<br>
+        data = prof_data['rlimit'].get_clean(depth)<br>
+    return data<br>
<br>
 def var_transform(ref):<br>
     data = []<br>
@@ -3831,20 +3837,14 @@<br>
                     #To-Do<br>
                     pass<br>
<br>
-            elif RE_PROFILE_RLIMIT.search(line):<br>
-                matches = RE_PROFILE_RLIMIT.search(line).groups()<br>
+            elif RlimitRule.match(line):<br>
+                rlimit_obj = RlimitRule.parse(line)<br>
<br>
-                from_name = matches[0]<br>
-                to_name = matches[2]<br>
-<br>
-                if not write_prof_data[hat]['rlimit'][from_name] == to_name:<br>
-                    correct = False<br>
-<br>
-                if correct:<br>
+                if write_prof_data[hat]['rlimit'].is_covered(rlimit_obj, True, True):<br>
                     if not segments['rlimit'] and True in segments.values():<br>
                         data += write_prior_segments(write_prof_data[name], segments, line)<br>
                     segments['rlimit'] = True<br>
-                    write_prof_data[hat]['rlimit'].pop(from_name)<br>
+                    write_prof_data[hat]['rlimit'].delete(rlimit_obj)<br>
                     data.append(line)<br>
                 else:<br>
                     #To-Do<br>
=== modified file utils/apparmor/regex.py<br>
--- utils/apparmor/regex.py     2015-06-05 15:11:41.644540358 +0200<br>
+++ utils/apparmor/regex.py     2015-06-05 15:18:22.489599340 +0200<br>
@@ -33,7 +33,7 @@<br>
 RE_PROFILE_CAP          = re.compile(RE_AUDIT_DENY + 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)<br>
 RE_PROFILE_LINK         = re.compile(RE_AUDIT_DENY + 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + RE_COMMA_EOL)<br>
 RE_PROFILE_ALIAS        = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)<br>
-RE_PROFILE_RLIMIT       = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*(<=)\s*(?P<value>[^ ]+)' + RE_COMMA_EOL)<br>
+RE_PROFILE_RLIMIT       = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*<=\s*(?P<value>[^ ]+)' + RE_COMMA_EOL)<br>
 RE_PROFILE_BOOLEAN      = re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL, flags=re.IGNORECASE)<br>
 RE_PROFILE_VARIABLE     = re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL)<br>
 RE_PROFILE_CONDITIONAL  = re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL)<br>
<br>
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
[von KDE 3.0.0 auf 3.0.1 updaten]<br>
> Wenn KDE 3.0.0 noch immer startet wurde 3.0.1 nicht richtig<br>
> installiert würde ich mal behaupten :)<br>
newer version, bla bla. Aber eben nicht bei "base"<br>
naja. Ich habe nun gemerkt, daß es garnicht installiert wurde. [...]<br>
Ich DAKU (dümmster anzunehmender KDE Updater)<br>
[> Matthias Hentges und Stefan Onken in suse-linux]<br>
<br>
<br>
--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div>