[apparmor] [PATCH 31/31] libapparmor: Create a private API

Christian Boltz apparmor at cboltz.de
Sat Dec 6 14:26:28 UTC 2014 

Hello,

Am Freitag, 5. Dezember 2014 schrieb Tyler Hicks:
> To kick things off, a library friendly version of is_blacklisted() is
> moved into libapparmor.
> 
> The purpose of a private libapparmor API is to prevent duplicated code
> between the parser and libapparmor. This becomes an issue as we
> prepare to move chunks of the parser into libapparmor.

I'm also looking forward to use this function in the tools :-)
(even if I'll probably wait some time to allow using latest tools 
with an older libapparmor)

> diff --git a/libraries/libapparmor/src/private.c
> b/libraries/libapparmor/src/private.c new file mode 100644
> index 0000000..f6f40b5
> --- /dev/null
> +++ b/libraries/libapparmor/src/private.c

> +static struct ignored_suffix_t ignored_suffixes[] = {
> +	/* Debian packging files, which are in flux during install
> +           should be silently ignored. */
> +	{ ".dpkg-new", 9, 1 },
> +	{ ".dpkg-old", 9, 1 },
> +	{ ".dpkg-dist", 10, 1 },
> +	{ ".dpkg-bak", 9, 1 },
> +	/* RPM packaging files have traditionally not been silently
> +           ignored */
> +	{ ".rpmnew", 7, 0 },
> +	{ ".rpmsave", 8, 0 },
> +	/* patch file backups/conflicts */
> +	{ ".orig", 5, 0 },
> +	{ ".rej", 4, 0 },
> +	/* Backup files should be mentioned */
> +	{ "~", 1, 0 },
> +	{ NULL, 0, 0 }
> +};
> +
> +int _aa_is_blacklisted(const char *name, const char *path)
> +{
> +	int name_len;
> +	struct ignored_suffix_t *suffix;
> +
> +	/* skip dot files and files with no name */
> +	if (*name == '.' || !strlen(name))
> +		return 1;

For comparison - this is what the tools use (from aa.py):

# rpm backup files, dotfiles, emacs backup files should not be processed
# The skippable files type needs be synced with apparmor initscript
def is_skippable_file(path):
    """Returns True if filename matches something to be skipped"""
    if (re.search('(^|/)\.[^/]*$', path) or re.search('\.rpm(save|new)$', path)
            or re.search('\.dpkg-(old|new)$', path) or re.search('\.swp$', path)
            or path[-1] == '~' or path == 'README'):
        return True


I see some differences here (for example *.dpkg-dist, *.dpkg-bak,  
*.orig, *.rej) - ignoring those files makes sense, so I'll come up with 
a patch for aa.py in the next days (which will also make the code a bit
more readable ;-)

Also note the "needs to be synced with apparmor initscript" comment -
it might be a good idea to add this comment also to the C code ;-)


Regards,

Christian Boltz
-- 
Microsoft is a cross between The Borg and the Ferengi. Unfortunately
they use Borg to do their marketing and Ferengi to do their programming.
                                               [Simon Slavin in the SDM]

More information about the AppArmor mailing list