<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 25, 2015 at 8:57 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
this patch changes log_dict to use profile_storage() and simplifies the<br>
log translation.<br>
<br>
a) change log_dict to profile_storage()<br>
<br>
Change collapse_log() to initialize log_dict[aamode][profile][storage]<br>
as profile_storage() instead of a hasher().<br>
<br>
This also means path events need to go into<br>
log_dict[aamode][profile][hat]['allow']['path']<br>
instead of<br>
log_dict[aamode][profile][hat]['path']<br>
to match the profile_storage() layout.<br>
<br>
<br>
b) Simplify log translation<br>
<br>
The translation from logparser.py's output to *Rule events was more ugly<br>
than needed. This patch removes one step.<br>
<br>
Instead of translating log_dict to log_obj in ask_the_questions(), add<br>
*Rule objects to log_dict and adjust ask_the_questions() to use log_dict<br>
instead of log_obj.<br>
<br>
This also means log_obj in ask_the_questions() is now superfluous and<br>
can be removed.<br>
<br>
<br>
c) Other small changes:<br>
<br>
- use is_known_rule() instead of .is_covered() for capability events,<br>
which means included files are also checked now.<br>
<br>
- remove the "if rule_obj.log_event != aamode:" check, because<br>
a) it depends on the content of *Rule.log_event (which means it<br>
ignores events with log_event != 'ALLOWING' or 'REJECTING'<br>
b) it's superfluous because the whole code section is wrapped in a<br>
"for aamode in sorted(log.dict.keys())" which means we have<br>
separate loops for enforce and complain mode already<br>
<br>
<br>
Note: I'd have preferred to have separate patches for a) and b), but<br>
both changes depend on each other (and applying only a) breaks<br>
aa-logprof), therefore I'm submitting everything as one patch.<br>
<br>
<br>
<br>
[ 45-change-log_dict-to-profile_storage.diff ]<br>
<br>
=== modified file ./utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py 2015-12-25 15:10:26.931746576 +0100<br>
+++ utils/apparmor/aa.py 2015-12-25 15:12:17.323014813 +0100<br>
@@ -1646,7 +1646,6 @@<br>
def ask_the_questions():<br>
found = 0<br>
global seen_events<br>
- log_obj = hasher()<br>
for aamode in sorted(log_dict.keys()):<br>
# Describe the type of changes<br>
if aamode == 'PERMITTING':<br>
@@ -1670,35 +1669,9 @@<br>
hats = [profile] + hats<br>
<br>
for hat in hats:<br>
- log_obj[profile][hat] = profile_storage(profile, hat, 'ask_the_questions()')<br>
-<br>
- for capability in sorted(log_dict[aamode][profile][hat]['capability'].keys()):<br>
- capability_obj = CapabilityRule(capability, log_event=aamode)<br>
- log_obj[profile][hat]['capability'].add(capability_obj)<br>
-<br>
- for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):<br>
- for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):<br>
- network_obj = NetworkRule(family, sock_type, log_event=aamode)<br>
- log_obj[profile][hat]['network'].add(network_obj)<br>
-<br>
-<br>
- for peer in sorted(log_dict[aamode][profile][hat]['ptrace'].keys()):<br>
- for access in sorted(log_dict[aamode][profile][hat]['ptrace'][peer].keys()):<br>
- ptrace_obj = PtraceRule(access, peer, log_event=aamode)<br>
- log_obj[profile][hat]['ptrace'].add(ptrace_obj)<br>
-<br>
- for peer in sorted(log_dict[aamode][profile][hat]['signal'].keys()):<br>
- for access in sorted(log_dict[aamode][profile][hat]['signal'][peer].keys()):<br>
- for signal in sorted(log_dict[aamode][profile][hat]['signal'][peer][access].keys()):<br>
- signal_obj = SignalRule(access, signal, peer, log_event=aamode)<br>
- log_obj[profile][hat]['signal'].add(signal_obj)<br>
-<br>
for ruletype in ruletypes:<br>
- # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!<br>
- for rule_obj in log_obj[profile][hat][ruletype].rules:<br>
-<br>
- if rule_obj.log_event != aamode: # XXX does it really make sense to handle enforce and complain mode changes in different rounds?<br>
- continue<br>
+ for rule_obj in log_dict[aamode][profile][hat][ruletype].rules:<br>
+ # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!<br></blockquote><div>sure it still does after the above change? Plus what does the *this code* even refer to? <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
if is_known_rule(aa[profile][hat], ruletype, rule_obj):<br>
continue<br>
@@ -1789,8 +1762,8 @@<br>
# END of code (mostly) shared with aa-mergeprof<br>
<br>
# Process all the path entries.<br>
- for path in sorted(log_dict[aamode][profile][hat]['path'].keys()):<br>
- mode = log_dict[aamode][profile][hat]['path'][path]<br>
+ for path in sorted(log_dict[aamode][profile][hat]['allow']['path'].keys()):<br>
+ mode = log_dict[aamode][profile][hat]['allow']['path'][path]<br>
# Lookup modes from profile<br>
allow_mode = set()<br>
allow_audit = set()<br>
@@ -2490,6 +2463,8 @@<br>
for profile in prelog[aamode].keys():<br>
for hat in prelog[aamode][profile].keys():<br>
<br>
+ log_dict[aamode][profile][hat] = profile_storage(profile, hat, 'collapse_log()')<br>
+<br>
for path in prelog[aamode][profile][hat]['path'].keys():<br>
mode = prelog[aamode][profile][hat]['path'][path]<br>
<br>
@@ -2506,35 +2481,37 @@<br>
combinedmode |= match_prof_incs_to_path(aa[profile][hat], 'allow', path)[0]<br>
<br>
if not combinedmode or not mode_contains(combinedmode, mode):<br>
- if log_dict[aamode][profile][hat]['path'].get(path, False):<br>
- mode |= log_dict[aamode][profile][hat]['path'][path]<br>
+ if log_dict[aamode][profile][hat]['allow']['path'].get(path, False):<br>
+ mode |= log_dict[aamode][profile][hat]['allow']['path'][path]<br>
<br>
- log_dict[aamode][profile][hat]['path'][path] = mode<br>
+ log_dict[aamode][profile][hat]['allow']['path'][path] = mode<br>
<br>
for cap in prelog[aamode][profile][hat]['capability'].keys():<br>
- # If capability not already in profile<br>
- # XXX remove first check when we have proper profile initialisation<br>
- if aa[profile][hat].get('capability', False) and not aa[profile][hat]['capability'].is_covered(CapabilityRule(cap, log_event=True)):<br>
- log_dict[aamode][profile][hat]['capability'][cap] = True<br>
+ cap_event = CapabilityRule(cap, log_event=True)<br>
+ if not is_known_rule(aa[profile][hat], 'capability', cap_event):<br>
+ log_dict[aamode][profile][hat]['capability'].add(cap_event)<br>
<br>
nd = prelog[aamode][profile][hat]['netdomain']<br>
for family in nd.keys():<br>
for sock_type in nd[family].keys():<br>
- if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type, log_event=True)):<br>
- log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True<br>
+ net_event = NetworkRule(family, sock_type, log_event=True)<br>
+ if not is_known_rule(aa[profile][hat], 'network', net_event):<br>
+ log_dict[aamode][profile][hat]['network'].add(net_event)<br>
<br>
ptrace = prelog[aamode][profile][hat]['ptrace']<br>
for peer in ptrace.keys():<br>
for access in ptrace[peer].keys():<br>
- if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer, log_event=True)):<br>
- log_dict[aamode][profile][hat]['ptrace'][peer][access] = True<br>
+ ptrace_event = PtraceRule(access, peer, log_event=True)<br>
+ if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):<br>
+ log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)<br>
<br>
sig = prelog[aamode][profile][hat]['signal']<br>
for peer in sig.keys():<br>
for access in sig[peer].keys():<br>
for signal in sig[peer][access].keys():<br>
- if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer, log_event=True)):<br>
- log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True<br>
+ signal_event = SignalRule(access, signal, peer, log_event=True)<br>
+ if not is_known_rule(aa[profile][hat], 'signal', signal_event):<br>
+ log_dict[aamode][profile][hat]['signal'].add(signal_event)<br>
<br>
<br>
PROFILE_MODE_RE = re.compile('^(r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|cux|Ux|Px|PUx|Cx|Pix|Cix|CUx)+$')<br>
<br>
<br></blockquote><div>lgtm on the whole. Plus reducing that hasher abomination(yeah I know you're looking at me) is always welcome.<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
Nicht nur Schoenheit, sondern auch Schweinkram liegt ausschliesslich<br>
im Auge des Betrachters.<br>
[Kristian Koehntopp zur Aussage "frauen sind gut zu voegeln" in<br>
<a href="http://groups.google.com/groups?selm=3ejajb$ekj@picard.toppoint.de" rel="noreferrer" target="_blank">http://groups.google.com/groups?selm=3ejajb$ekj@picard.toppoint.de</a>]<br>
</font></span><br>--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div>