[apparmor] [Patch] utils: add limited support for af_unix rules

Steve Beattie steve at nxnw.org
Thu Aug 28 22:07:17 UTC 2014 

On Thu, Aug 28, 2014 at 10:23:10PM +0200, Christian Boltz wrote:
> Am Mittwoch, 27. August 2014 schrieb Steve Beattie:
> Is it really that hard to use an array for all rules to test and a 
> foreach loop to actually test them? I tend to NAK this (part of the) 
> patch to make sure you finally learn this *g*

Hard? No. It does come with the downside that it breaks tools like
python-nose's nosetests ability to pull out individual test cases out of
a class to run, which is useful when trying to determine why one test in
particular is failing (not needing to re-run all the tests in an
individual script). It's not such a big deal for these tests, given
their limited behavior, so I have a patch set forthcoming.

(I'll also point out that besides the currently discussed
test-unix_parse.py, I was only responsible for the initial
test-dbus_parse.py tests as well, so I'm not the only person you should
be griping at.)

> > Index: b/utils/apparmor/aa.py
> > ===================================================================
> > --- a/utils/apparmor/aa.py
> > +++ b/utils/apparmor/aa.py
> > @@ -2636,6 +2636,7 @@ RE_PROFILE_MOUNT = re.compile('^\s*(audi
> > +RE_PROFILE_UNIX =
> > re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(unix\s*,|unix\s+[^#]*\
> > s*,)\s*(#.*)?$')
> 
> I wonder how the "full" regex will look like one day (probably a bit ;-) 
> longer and more interesting than what you have now)

Most definitely. Honestly, the whole thing, while a faithful
reproduction of how the perl tools functioned, needs to be restructured.
There is, for example, all the redundant code around handling deny,
audit, allow, and owner. And in the longer, longer term, we'd like to
push parsing into a library that can be used by multiple languages and
as such, would be more structured than the current approach.

> > Index: b/utils/apparmor/rules.py
> > ===================================================================
> > --- a/utils/apparmor/rules.py
> > +++ b/utils/apparmor/rules.py
> > @@ -44,6 +44,18 @@ class DBUS_Rule(object):
> >          out += ','
> >          return out
> > 
> > +class _Raw_Rule(object):
> > +    audit = False
> > +    deny = False
> > +
> > +    def __init__(self, rule):
> > +        self.rule = rule
> > +
> > +    def serialize(self):
> > +        return "%s%s%s" % ('audit ' if self.audit else '',
> > +                           'deny '  if self.deny else '',
> > +                           self.rule)
> > +
> >  class Raw_DBUS_Rule(object):
> >      audit = False
> >      deny = False
> > @@ -103,3 +115,6 @@ class Raw_Pivot_Root_Rule(object):
> >          return "%s%s%s" % ('audit ' if self.audit else '',
> >                             'deny '  if self.deny else '',
> >                             self.rule)
> > +
> > +class Raw_Unix_Rule(_Raw_Rule):
> > +    pass
> 
> Ah, you finally made a general class for raw rules to make things 
> easier. I take this as an effort to simplify the code and hope we won't 
> use it too often ;-)  (and have "real" code instead)
> 
> It would probably be a good idea to replace Raw_DBUS_Rule (and all other 
> Raw_*_Rule classes) with _Raw_Rule, but that's worth another patch.

Yep, that's also in a forthcoming patch.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140828/b098b32f/attachment-0001.pgp>

More information about the AppArmor mailing list