[apparmor] [PATCH] utils: Basic support for bare capability rules

[Tyler Hicks]

Bug: https://bugs.launchpad.net/bugs/1294819

This patch as minimal support for bare capability rules ("capability,").
It prevents aa.py from emitting a traceback when encountering such a
rule.

It only adds the ability to parse and write the bare rule. It doesn't
attempt to be clever when deleting duplicate rules, such as realizing
that "capability audit_control," can be deleted if "capability," is also
present.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 utils/apparmor/aa.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index a81b495..19a140c 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -78,6 +78,9 @@ seen_events = 0  # was our
 # To store the globs entered by users so they can be provided again
 user_globs = []
 
+# The key for representing bare rules such as "capability," or "file,"
+ALL = '_ALL'
+
 ## Variables used under logprof
 ### Were our
 t = hasher()  # dict()
@@ -2599,7 +2602,7 @@ def attach_profile_data(profiles, profile_data):
 ## Profile parsing regex
 RE_PROFILE_START = re.compile('^\s*(("??/.+?"??)|(profile\s+("??.+?"??)))\s+((flags=)?\((.+)\)\s+)?\{\s*(#.*)?$')
 RE_PROFILE_END = re.compile('^\s*\}\s*(#.*)?$')
-RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$')
+RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?capability\s*(\S+)?\s*,\s*(#.*)?$')
 RE_PROFILE_LINK = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)\s*,\s*(#.*)?$')
 RE_PROFILE_CHANGE_PROFILE = re.compile('^\s*change_profile\s+->\s*("??.+?"??),(#.*)?$')
 RE_PROFILE_ALIAS = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)\s*,(#.*)?$')
@@ -2731,7 +2734,9 @@ def parse_profile_data(data, file, do_include):
             if matches[1] and matches[1].strip() == 'deny':
                 allow = 'deny'
 
-            capability = matches[2]
+            capability = ALL
+            if matches[2]:
+                capability = matches[2]
 
             profile_data[profile][hat][allow]['capability'][capability]['set'] = True
             profile_data[profile][hat][allow]['capability'][capability]['audit'] = audit
@@ -3208,7 +3213,10 @@ def write_cap_rules(prof_data, depth, allow):
             if prof_data[allow]['capability'][cap].get('audit', False):
                 audit = 'audit '
             if prof_data[allow]['capability'][cap].get('set', False):
-                data.append('%s%s%scapability %s,' % (pre, audit, allowstr, cap))
+                if cap == ALL:
+                    data.append('%s%s%scapability,' % (pre, audit, allowstr))
+                else:
+                    data.append('%s%s%scapability %s,' % (pre, audit, allowstr, cap))
         data.append('')
 
     return data
-- 
1.9.0