<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 25, 2015 at 8:57 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
this patch changes log_dict to use profile_storage() and simplifies the<br>
log translation.<br>
<br>
a) change log_dict to profile_storage()<br>
<br>
Change collapse_log() to initialize log_dict[aamode][profile][storage]<br>
as profile_storage() instead of a hasher().<br>
<br>
This also means path events need to go into<br>
    log_dict[aamode][profile][hat]['allow']['path']<br>
instead of<br>
    log_dict[aamode][profile][hat]['path']<br>
to match the profile_storage() layout.<br>
<br>
<br>
b) Simplify log translation<br>
<br>
The translation from logparser.py's output to *Rule events was more ugly<br>
than needed. This patch removes one step.<br>
<br>
Instead of translating log_dict to log_obj in ask_the_questions(), add<br>
*Rule objects to log_dict and adjust ask_the_questions() to use log_dict<br>
instead of log_obj.<br>
<br>
This also means log_obj in ask_the_questions() is now superfluous and<br>
can be removed.<br>
<br>
<br>
c) Other small changes:<br>
<br>
- use is_known_rule() instead of .is_covered() for capability events,<br>
  which means included files are also checked now.<br>
<br>
- remove the "if rule_obj.log_event != aamode:" check, because<br>
  a) it depends on the content of *Rule.log_event (which means it<br>
     ignores events with log_event != 'ALLOWING' or 'REJECTING'<br>
  b) it's superfluous because the whole code section is wrapped in a<br>
     "for aamode in sorted(log.dict.keys())" which means we have<br>
     separate loops for enforce and complain mode already<br>
<br>
<br>
Note: I'd have preferred to have separate patches for a) and b), but<br>
both changes depend on each other (and applying only a) breaks<br>
aa-logprof), therefore I'm submitting everything as one patch.<br>
<br>
<br>
<br>
[ 45-change-log_dict-to-profile_storage.diff ]<br>
<br>
=== modified file ./utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py        2015-12-25 15:10:26.931746576 +0100<br>
+++ utils/apparmor/aa.py        2015-12-25 15:12:17.323014813 +0100<br>
@@ -1646,7 +1646,6 @@<br>
 def ask_the_questions():<br>
     found = 0<br>
     global seen_events<br>
-    log_obj = hasher()<br>
     for aamode in sorted(log_dict.keys()):<br>
         # Describe the type of changes<br>
         if aamode == 'PERMITTING':<br>
@@ -1670,35 +1669,9 @@<br>
                 hats = [profile] + hats<br>
<br>
             for hat in hats:<br>
-                log_obj[profile][hat] = profile_storage(profile, hat, 'ask_the_questions()')<br>
-<br>
-                for capability in sorted(log_dict[aamode][profile][hat]['capability'].keys()):<br>
-                    capability_obj = CapabilityRule(capability, log_event=aamode)<br>
-                    log_obj[profile][hat]['capability'].add(capability_obj)<br>
-<br>
-                for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):<br>
-                    for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):<br>
-                        network_obj = NetworkRule(family, sock_type, log_event=aamode)<br>
-                        log_obj[profile][hat]['network'].add(network_obj)<br>
-<br>
-<br>
-                for peer in sorted(log_dict[aamode][profile][hat]['ptrace'].keys()):<br>
-                    for access in sorted(log_dict[aamode][profile][hat]['ptrace'][peer].keys()):<br>
-                        ptrace_obj = PtraceRule(access, peer, log_event=aamode)<br>
-                        log_obj[profile][hat]['ptrace'].add(ptrace_obj)<br>
-<br>
-                for peer in sorted(log_dict[aamode][profile][hat]['signal'].keys()):<br>
-                    for access in sorted(log_dict[aamode][profile][hat]['signal'][peer].keys()):<br>
-                        for signal in sorted(log_dict[aamode][profile][hat]['signal'][peer][access].keys()):<br>
-                            signal_obj = SignalRule(access, signal, peer, log_event=aamode)<br>
-                            log_obj[profile][hat]['signal'].add(signal_obj)<br>
-<br>
                 for ruletype in ruletypes:<br>
-                    # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!<br>
-                    for rule_obj in log_obj[profile][hat][ruletype].rules:<br>
-<br>
-                        if rule_obj.log_event != aamode:  # XXX does it really make sense to handle enforce and complain mode changes in different rounds?<br>
-                            continue<br>
+                    for rule_obj in log_dict[aamode][profile][hat][ruletype].rules:<br>
+                        # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!<br></blockquote><div>sure it still does after the above change? Plus what does the *this code* even refer to? <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
                         if is_known_rule(aa[profile][hat], ruletype, rule_obj):<br>
                             continue<br>
@@ -1789,8 +1762,8 @@<br>
                     # END of code (mostly) shared with aa-mergeprof<br>
<br>
                 # Process all the path entries.<br>
-                for path in sorted(log_dict[aamode][profile][hat]['path'].keys()):<br>
-                    mode = log_dict[aamode][profile][hat]['path'][path]<br>
+                for path in sorted(log_dict[aamode][profile][hat]['allow']['path'].keys()):<br>
+                    mode = log_dict[aamode][profile][hat]['allow']['path'][path]<br>
                     # Lookup modes from profile<br>
                     allow_mode = set()<br>
                     allow_audit = set()<br>
@@ -2490,6 +2463,8 @@<br>
         for profile in prelog[aamode].keys():<br>
             for hat in prelog[aamode][profile].keys():<br>
<br>
+                log_dict[aamode][profile][hat] = profile_storage(profile, hat, 'collapse_log()')<br>
+<br>
                 for path in prelog[aamode][profile][hat]['path'].keys():<br>
                     mode = prelog[aamode][profile][hat]['path'][path]<br>
<br>
@@ -2506,35 +2481,37 @@<br>
                     combinedmode |= match_prof_incs_to_path(aa[profile][hat], 'allow', path)[0]<br>
<br>
                     if not combinedmode or not mode_contains(combinedmode, mode):<br>
-                        if log_dict[aamode][profile][hat]['path'].get(path, False):<br>
-                            mode |= log_dict[aamode][profile][hat]['path'][path]<br>
+                        if log_dict[aamode][profile][hat]['allow']['path'].get(path, False):<br>
+                            mode |= log_dict[aamode][profile][hat]['allow']['path'][path]<br>
<br>
-                        log_dict[aamode][profile][hat]['path'][path] = mode<br>
+                        log_dict[aamode][profile][hat]['allow']['path'][path] = mode<br>
<br>
                 for cap in prelog[aamode][profile][hat]['capability'].keys():<br>
-                    # If capability not already in profile<br>
-                    # XXX remove first check when we have proper profile initialisation<br>
-                    if aa[profile][hat].get('capability', False) and not aa[profile][hat]['capability'].is_covered(CapabilityRule(cap, log_event=True)):<br>
-                        log_dict[aamode][profile][hat]['capability'][cap] = True<br>
+                    cap_event = CapabilityRule(cap, log_event=True)<br>
+                    if not is_known_rule(aa[profile][hat], 'capability', cap_event):<br>
+                        log_dict[aamode][profile][hat]['capability'].add(cap_event)<br>
<br>
                 nd = prelog[aamode][profile][hat]['netdomain']<br>
                 for family in nd.keys():<br>
                     for sock_type in nd[family].keys():<br>
-                        if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type, log_event=True)):<br>
-                            log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True<br>
+                        net_event = NetworkRule(family, sock_type, log_event=True)<br>
+                        if not is_known_rule(aa[profile][hat], 'network', net_event):<br>
+                            log_dict[aamode][profile][hat]['network'].add(net_event)<br>
<br>
                 ptrace = prelog[aamode][profile][hat]['ptrace']<br>
                 for peer in ptrace.keys():<br>
                     for access in ptrace[peer].keys():<br>
-                        if not is_known_rule(aa[profile][hat], 'ptrace', PtraceRule(access, peer, log_event=True)):<br>
-                            log_dict[aamode][profile][hat]['ptrace'][peer][access] = True<br>
+                        ptrace_event = PtraceRule(access, peer, log_event=True)<br>
+                        if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):<br>
+                            log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)<br>
<br>
                 sig = prelog[aamode][profile][hat]['signal']<br>
                 for peer in sig.keys():<br>
                     for access in sig[peer].keys():<br>
                         for signal in sig[peer][access].keys():<br>
-                            if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer, log_event=True)):<br>
-                                log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True<br>
+                            signal_event = SignalRule(access, signal, peer, log_event=True)<br>
+                            if not is_known_rule(aa[profile][hat], 'signal', signal_event):<br>
+                                log_dict[aamode][profile][hat]['signal'].add(signal_event)<br>
<br>
<br>
 PROFILE_MODE_RE      = re.compile('^(r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|cux|Ux|Px|PUx|Cx|Pix|Cix|CUx)+$')<br>
<br>
<br></blockquote><div>lgtm on the whole. Plus reducing that hasher abomination(yeah I know you're looking at me) is always welcome.<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>   <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
Nicht nur Schoenheit, sondern auch Schweinkram liegt ausschliesslich<br>
im Auge des Betrachters.<br>
[Kristian Koehntopp zur Aussage "frauen sind gut zu voegeln" in<br>
<a href="http://groups.google.com/groups?selm=3ejajb$ekj@picard.toppoint.de" rel="noreferrer" target="_blank">http://groups.google.com/groups?selm=3ejajb$ekj@picard.toppoint.de</a>]<br>
</font></span><br>--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div>