<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 7, 2015 at 7:27 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
profile_storage() returns an empty, properly initialized profile.<br>
It doesn't explicitely init all keys (yet) and will be extended over<br></blockquote><div>nitpick: I think (and google agrees) its "explicitly" without the _e_ ;-)<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
time, with the final goal to get rid of hasher().<br>
<br>
Also change various places in aa.py to use it (instead of an empty<br>
hasher or sub-hasher), and remove various "init rule class (if not done<br>
yet)" cases.<br>
<br>
This also avoids a crash in aa-cleanprof remove_duplicate_rules().<br>
Hats weren't properly initialized in aa.py parse_profile_data()<br>
(especially rule classes were missing), which caused a crash because<br>
hasher doesn't support the delete_duplicates() method.<br>
<br>
<br>
<br>
[ 48-add-profile_storage.diff ]<br>
<br></blockquote><div>Thanks for the patch. Looks fine to me.<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>. <br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
=== modified file utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py 2015-06-07 14:49:41.432239728 +0200<br>
+++ utils/apparmor/aa.py 2015-06-07 15:50:58.057162382 +0200<br>
@@ -104,12 +104,6 @@<br>
t = hasher() # dict()<br>
transitions = hasher()<br>
<br>
-# keys used in aa[profile][hat]:<br>
-# a) rules (as dict): alias, include, lvar<br>
-# b) rules (as hasher): allow, deny<br>
-# c) one for each rule class<br>
-# d) other: external, flags, name, profile, attachment, initial_comment,<br>
-# profile_keyword, header_comment (these two are currently only set by set_profile_flags())<br>
aa = hasher() # Profiles originally in sd, replace by aa<br>
original_aa = hasher()<br>
extras = hasher() # Inactive profiles from extras<br>
@@ -408,8 +402,35 @@<br>
return {local_profile: extras[local_profile]}<br>
return dict()<br>
<br>
+def profile_storage():<br>
+ # keys used in aa[profile][hat]:<br>
+ # a) rules (as dict): alias, include, lvar<br>
+ # b) rules (as hasher): allow, deny<br>
+ # c) one for each rule class<br>
+ # d) other: external, flags, name, profile, attachment, initial_comment,<br>
+ # profile_keyword, header_comment (these two are currently only set by set_profile_flags())<br>
+<br>
+ # Note that this function doesn't explicitely init all those keys (yet).<br>
+ # It will be extended over time, with the final goal to get rid of hasher().<br>
+<br>
+ profile = hasher()<br>
+<br>
+ profile['capability'] = CapabilityRuleset()<br>
+ profile['change_profile'] = ChangeProfileRuleset()<br>
+ profile['network'] = NetworkRuleset()<br>
+ profile['rlimit'] = RlimitRuleset()<br>
+<br>
+ profile['allow']['path'] = hasher()<br>
+ profile['allow']['dbus'] = list()<br>
+ profile['allow']['mount'] = list()<br>
+ profile['allow']['signal'] = list()<br>
+ profile['allow']['ptrace'] = list()<br>
+ profile['allow']['pivot_root'] = list()<br>
+<br>
+ return profile<br>
+<br>
def create_new_profile(localfile, is_stub=False):<br>
- local_profile = hasher()<br>
+ local_profile = profile_storage()<br>
local_profile[localfile]['flags'] = 'complain'<br>
local_profile[localfile]['include']['abstractions/base'] = 1<br>
<br>
@@ -1442,6 +1463,7 @@<br>
ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')<br>
if ynans == 'y':<br>
hat = exec_target<br>
+ # XXX do we need to init the profile here?<br>
aa[profile][hat]['profile'] = True<br>
<br>
if profile != hat:<br>
@@ -1566,16 +1588,12 @@<br>
hats = [profile] + hats<br>
<br>
for hat in hats:<br>
- if not log_obj[profile][hat].get('capability', False):<br>
- log_obj[profile][hat]['capability'] = CapabilityRuleset()<br>
+ log_obj[profile][hat] = profile_storage()<br>
<br>
for capability in sorted(log_dict[aamode][profile][hat]['capability'].keys()):<br>
capability_obj = CapabilityRule(capability, log_event=aamode)<br>
log_obj[profile][hat]['capability'].add(capability_obj)<br>
<br>
- if not log_obj[profile][hat].get('network', False):<br>
- log_obj[profile][hat]['network'] = NetworkRuleset()<br>
-<br>
for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):<br>
for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):<br>
network_obj = NetworkRule(family, sock_type, log_event=aamode)<br>
@@ -2562,6 +2580,8 @@<br>
if do_include:<br>
profile = file<br>
hat = file<br>
+ profile_data[profile][hat] = profile_storage()<br>
+<br>
for lineno, line in enumerate(data):<br>
line = line.strip()<br>
if not line:<br>
@@ -2578,6 +2598,8 @@<br>
raise AppArmorException('Profile %(profile)s defined twice in %(file)s, last found in line %(line)s' %<br>
{ 'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat) })<br>
<br>
+ profile_data[profile][hat] = profile_storage()<br>
+<br>
if attachment:<br>
profile_data[profile][hat]['attachment'] = attachment<br>
if pps_set_profile:<br>
@@ -2595,15 +2617,6 @@<br>
<br>
profile_data[profile][hat]['flags'] = flags<br>
<br>
- profile_data[profile][hat]['network'] = NetworkRuleset()<br>
- profile_data[profile][hat]['change_profile'] = ChangeProfileRuleset()<br>
- profile_data[profile][hat]['rlimit'] = RlimitRuleset()<br>
- profile_data[profile][hat]['allow']['path'] = hasher()<br>
- profile_data[profile][hat]['allow']['dbus'] = list()<br>
- profile_data[profile][hat]['allow']['mount'] = list()<br>
- profile_data[profile][hat]['allow']['signal'] = list()<br>
- profile_data[profile][hat]['allow']['ptrace'] = list()<br>
- profile_data[profile][hat]['allow']['pivot_root'] = list()<br>
# Save the initial comment<br>
if initial_comment:<br>
profile_data[profile][hat]['initial_comment'] = initial_comment<br>
@@ -2614,10 +2627,6 @@<br>
profile_data[profile][profile]['repo']['url'] = repo_data['url']<br>
profile_data[profile][profile]['repo']['user'] = repo_data['user']<br>
<br>
- # init rule classes (if not done yet)<br>
- if not profile_data[profile][hat].get('capability', False):<br>
- profile_data[profile][hat]['capability'] = CapabilityRuleset()<br>
-<br>
elif RE_PROFILE_END.search(line):<br>
# If profile ends and we're not in one<br>
if not profile:<br>
@@ -2636,10 +2645,6 @@<br>
if not profile:<br>
raise AppArmorException(_('Syntax Error: Unexpected capability entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })<br>
<br>
- # init rule class (if not done yet)<br>
- if not profile_data[profile][hat].get('capability', False):<br>
- profile_data[profile][hat]['capability'] = CapabilityRuleset()<br>
-<br>
profile_data[profile][hat]['capability'].add(CapabilityRule.parse(line))<br>
<br>
elif RE_PROFILE_LINK.search(line):<br>
@@ -2693,10 +2698,6 @@<br>
if not profile:<br>
raise AppArmorException(_('Syntax Error: Unexpected rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })<br>
<br>
- # init rule class (if not done yet)<br>
- if not profile_data[profile][hat].get('rlimit', False):<br>
- profile_data[profile][hat]['rlimit'] = RlimitRuleset()<br>
-<br>
profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line))<br>
<br>
elif RE_PROFILE_BOOLEAN.search(line):<br>
@@ -3003,11 +3004,15 @@<br>
in_contained_hat = True<br>
hat = matches.group('hat')<br>
hat = strip_quotes(hat)<br>
+<br>
+ # if hat is already known, the filelist check some lines below will error out.<br>
+ # nevertheless, just to be sure, don't overwrite existing profile_data.<br>
+ if not profile_data[profile].get(hat, False):<br>
+ profile_data[profile][hat] = profile_storage()<br>
+<br>
flags = matches.group('flags')<br>
<br>
profile_data[profile][hat]['flags'] = flags<br>
- #profile_data[profile][hat]['allow']['path'] = hasher()<br>
- #profile_data[profile][hat]['allow']['netdomain'] = hasher()<br>
<br>
if initial_comment:<br>
profile_data[profile][hat]['initial_comment'] = initial_comment<br>
<br>
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
> I see no "do" in your script, so this will give you a "syntax error<br>
> near unexpected token `done'" after shutdown ;-))<br>
I've been hearing funny noises after shutdown, that must be it :-)<br>
[> Christian Boltz and Chris Maaskant in opensuse]<br>
<br>
<br>
--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div>