[apparmor] [patch] move regexes from aa.py to regex.py
Kshitij Gupta
kgupta8592 at gmail.com
Tue Nov 11 20:39:38 UTC 2014
Hello,
On Wed, Nov 12, 2014 at 1:06 AM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> this patch moves the profile parsing regexes from aa.py to a new file,
> regex.py, and adds an "import" line so that they are still available in
> aa.py.
>
> This is needed to avoid circular dependencies in the rule classes
> (aa.py will need to import the rule classes, which also means they
> can't import something from aa.py)
>
>
> Its actually a good thing, the rule classes should be as stand-alone as
possible (specially not dependent on the aa.py, which is arguably the most
unstable piece of code in there).
[ move-regex.diff ]
>
> === modified file 'utils/apparmor/aa.py'
> --- utils/apparmor/aa.py 2014-11-09 00:33:40 +0000
> +++ utils/apparmor/aa.py 2014-11-10 23:27:53 +0000
> @@ -40,8 +41,9 @@
> mode_to_str_user, mode_contains, AA_OTHER,
> flatten_mode, owner_flatten_mode)
>
> +from apparmor.regex import *
>
Hmm would it be better to import the regex's in a seperate namespace?
> import apparmor.rules as aarules
>
> from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
>
> Defunct code eating space, just lying there to mark possible entry points
for Yast.
# setup module translations
> @@ -2610,46 +2621,6 @@
> for p in profile_data.keys():
> profiles[p] = deepcopy(profile_data[p])
>
> -## Profile parsing Regex
> -RE_AUDIT_DENY =
> '^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+)?' # line start,
> optionally: leading whitespace, <audit> and <allow>/deny
> -RE_OWNER = '(?P<owner>owner\s+)?' # optionally: <owner>
> -RE_EOL = '\s*(?P<comment>#.*?)?\s*$' # optional
> whitespace, optional <comment>, optional whitespace, end of the line
> -RE_COMMA_EOL = '\s*,' + RE_EOL # optional whitespace, comma +
> RE_EOL
> -
> -RE_PROFILE_START =
> re.compile('^\s*("?(/.+?)"??|(profile\s+"?(.+?)"??))\s+((flags=)?\((.+)\)\s+)?\{'
> + RE_EOL)
> -RE_PROFILE_END = re.compile('^\s*\}' + RE_EOL)
> -RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY +
> 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
> -RE_PROFILE_LINK = re.compile(RE_AUDIT_DENY +
> 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' +
> RE_COMMA_EOL)
> -RE_PROFILE_CHANGE_PROFILE =
> re.compile('^\s*change_profile\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> -RE_PROFILE_ALIAS =
> re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> -RE_PROFILE_RLIMIT =
> re.compile('^\s*set\s+rlimit\s+(.+)\s+(<=)?\s*(.+)' + RE_COMMA_EOL)
> -RE_PROFILE_BOOLEAN =
> re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL,
> flags=re.IGNORECASE)
> -RE_PROFILE_VARIABLE =
> re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL)
> -RE_PROFILE_CONDITIONAL =
> re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL)
> -RE_PROFILE_CONDITIONAL_VARIABLE =
> re.compile('^\s*if\s+(not\s+)?defined\s+(@\{?\w+\}?)\s*\{\s*(#.*)?$')
> -RE_PROFILE_CONDITIONAL_BOOLEAN =
> re.compile('^\s*if\s+(not\s+)?defined\s+(\$\{?\w+\}?)\s*\{\s*(#.*)?$')
> -RE_PROFILE_BARE_FILE_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + 'file'
> + RE_COMMA_EOL)
> -RE_PROFILE_PATH_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER +
> '(file\s+)?([\"@/].*?)\s+(\S+)(\s+->\s*(.*?))?' + RE_COMMA_EOL)
> -RE_PROFILE_NETWORK = re.compile(RE_AUDIT_DENY + 'network(.*)' +
> RE_EOL)
> -RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')
> -RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')
> -RE_PROFILE_CHANGE_HAT = re.compile('^\s*\^(\"??.+?\"??)' + RE_COMMA_EOL)
> -RE_PROFILE_HAT_DEF =
> re.compile('^\s*(\^|hat\s+)(?P<hat>\"??.+?\"??)\s+((flags=)?\((?P<flags>.+)\)\s+)*\{'
> + RE_EOL)
> -RE_PROFILE_DBUS = re.compile(RE_AUDIT_DENY +
> '(dbus\s*,|dbus\s+[^#]*\s*,)' + RE_EOL)
> -RE_PROFILE_MOUNT = re.compile(RE_AUDIT_DENY +
> '((mount|remount|umount|unmount)(\s+[^#]*)?\s*,)' + RE_EOL)
> -RE_PROFILE_SIGNAL = re.compile(RE_AUDIT_DENY +
> '(signal\s*,|signal\s+[^#]*\s*,)' + RE_EOL)
> -RE_PROFILE_PTRACE = re.compile(RE_AUDIT_DENY +
> '(ptrace\s*,|ptrace\s+[^#]*\s*,)' + RE_EOL)
> -RE_PROFILE_PIVOT_ROOT = re.compile(RE_AUDIT_DENY +
> '(pivot_root\s*,|pivot_root\s+[^#]*\s*,)' + RE_EOL)
> -RE_PROFILE_UNIX = re.compile(RE_AUDIT_DENY +
> '(unix\s*,|unix\s+[^#]*\s*,)' + RE_EOL)
> -
> -# match anything that's not " or #, or matching quotes with anything
> except quotes inside
> -__re_no_or_quoted_hash = '([^#"]|"[^"]*")*'
> -
> -RE_RULE_HAS_COMMA = re.compile('^' + __re_no_or_quoted_hash +
> - ',\s*(#.*)?$') # match comma plus any trailing comment
> -RE_HAS_COMMENT_SPLIT = re.compile('^(?P<not_comment>' +
> __re_no_or_quoted_hash + ')' + # store in 'not_comment' group
> - '(?P<comment>#.*)$') # match trailing comment and store in 'comment'
> group
> -
> def parse_profile_data(data, file, do_include):
> profile_data = hasher()
> profile = None
>
> === added file 'utils/apparmor/regex.py'
> --- utils/apparmor/regex.py 1970-01-01 00:00:00 +0000
> +++ utils/apparmor/regex.py 2014-11-11 19:24:06 +0000
> @@ -0,0 +1,59 @@
> +# ----------------------------------------------------------------------
> +# Copyright (C) 2013 Kshitij Gupta <kgupta8592 at gmail.com>
> +# Copyright (C) 2014 Christian Boltz <apparmor at cboltz.de>
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License as published by the Free Software Foundation.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# ----------------------------------------------------------------------
> +
> +import re
> +
> +## Profile parsing Regex
> +RE_AUDIT_DENY =
> '^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+)?' # line start,
> optionally: leading whitespace, <audit> and <allow>/deny
> +RE_OWNER = '(?P<owner>owner\s+)?' # optionally: <owner>
> +RE_EOL = '\s*(?P<comment>#.*?)?\s*$' # optional
> whitespace, optional <comment>, optional whitespace, end of the line
> +RE_COMMA_EOL = '\s*,' + RE_EOL # optional whitespace, comma +
> RE_EOL
> +
> +RE_PROFILE_START =
> re.compile('^\s*("?(/.+?)"??|(profile\s+"?(.+?)"??))\s+((flags=)?\((.+)\)\s+)?\{'
> + RE_EOL)
> +RE_PROFILE_END = re.compile('^\s*\}' + RE_EOL)
> +RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY +
> 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
> +RE_PROFILE_LINK = re.compile(RE_AUDIT_DENY +
> 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' +
> RE_COMMA_EOL)
> +RE_PROFILE_CHANGE_PROFILE =
> re.compile('^\s*change_profile\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> +RE_PROFILE_ALIAS =
> re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> +RE_PROFILE_RLIMIT =
> re.compile('^\s*set\s+rlimit\s+(.+)\s+(<=)?\s*(.+)' + RE_COMMA_EOL)
> +RE_PROFILE_BOOLEAN =
> re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL,
> flags=re.IGNORECASE)
> +RE_PROFILE_VARIABLE =
> re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL)
> +RE_PROFILE_CONDITIONAL =
> re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL)
> +RE_PROFILE_CONDITIONAL_VARIABLE =
> re.compile('^\s*if\s+(not\s+)?defined\s+(@\{?\w+\}?)\s*\{\s*(#.*)?$')
> +RE_PROFILE_CONDITIONAL_BOOLEAN =
> re.compile('^\s*if\s+(not\s+)?defined\s+(\$\{?\w+\}?)\s*\{\s*(#.*)?$')
> +RE_PROFILE_BARE_FILE_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + 'file'
> + RE_COMMA_EOL)
> +RE_PROFILE_PATH_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER +
> '(file\s+)?([\"@/].*?)\s+(\S+)(\s+->\s*(.*?))?' + RE_COMMA_EOL)
> +RE_PROFILE_NETWORK = re.compile(RE_AUDIT_DENY + 'network(.*)' +
> RE_EOL)
> +RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')
> +RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')
> +RE_PROFILE_CHANGE_HAT = re.compile('^\s*\^(\"??.+?\"??)' + RE_COMMA_EOL)
> +RE_PROFILE_HAT_DEF =
> re.compile('^\s*(\^|hat\s+)(?P<hat>\"??.+?\"??)\s+((flags=)?\((?P<flags>.+)\)\s+)*\{'
> + RE_EOL)
> +RE_PROFILE_DBUS = re.compile(RE_AUDIT_DENY +
> '(dbus\s*,|dbus\s+[^#]*\s*,)' + RE_EOL)
> +RE_PROFILE_MOUNT = re.compile(RE_AUDIT_DENY +
> '((mount|remount|umount|unmount)(\s+[^#]*)?\s*,)' + RE_EOL)
> +RE_PROFILE_SIGNAL = re.compile(RE_AUDIT_DENY +
> '(signal\s*,|signal\s+[^#]*\s*,)' + RE_EOL)
> +RE_PROFILE_PTRACE = re.compile(RE_AUDIT_DENY +
> '(ptrace\s*,|ptrace\s+[^#]*\s*,)' + RE_EOL)
> +RE_PROFILE_PIVOT_ROOT = re.compile(RE_AUDIT_DENY +
> '(pivot_root\s*,|pivot_root\s+[^#]*\s*,)' + RE_EOL)
> +RE_PROFILE_UNIX = re.compile(RE_AUDIT_DENY +
> '(unix\s*,|unix\s+[^#]*\s*,)' + RE_EOL)
> +
> +# match anything that's not " or #, or matching quotes with anything
> except quotes inside
> +__re_no_or_quoted_hash = '([^#"]|"[^"]*")*'
> +
> +RE_RULE_HAS_COMMA = re.compile('^' + __re_no_or_quoted_hash +
> + ',\s*(#.*)?$') # match comma plus any trailing comment
> +RE_HAS_COMMENT_SPLIT = re.compile('^(?P<not_comment>' +
> __re_no_or_quoted_hash + ')' + # store in 'not_comment' group
> + '(?P<comment>#.*)$') # match trailing comment and store in 'comment'
> group
> +
> +
> +
>
> Too many empty lines at the end of file. Are they needed?
lgtm.
Thanks for the patch.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>
Regards,
Kshitij Gupta
>
> Regards,
>
> Christian Boltz
> --
> Ei, wie lustig sie aufeinander losgehen. Flugs das Listenarchiv auf CD
> gebrannt und das ganze als "SimRatti" verkauft. Steuern sie den kleinen
> Helden durch Angriffswellen von Neidern, die die Erde mit Personal-
> ausweisen bedrohen. Nu ist aber gut. ;-) [Ratti in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141112/720adb83/attachment-0001.html>
More information about the AppArmor
mailing list