[apparmor] Fwd: [patch] Change aa.py to use SignalRule and SignalRuleset

Kshitij Gupta kgupta8592 at gmail.com
Wed Nov 18 22:20:40 UTC 2015 

On Fri, Oct 23, 2015 at 6:51 PM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> this patch changes aa.py to use SignalRule and SignalRuleset.
>
> This means:
> - import the classes instead of RE_PROFILE_SIGNAL
> - simplify signal rule parsing a lot
> - drop the (now unused) functions parse_signal_rule() and
> write_signal_rules()
> - change write_signal() to use the SignalRuleset class
>
> Also drop the now unused Raw_Signal_Rule from rules.py.
>
> Finally, drop most parser signal tests from the "known wrong results"
> blacklist in test-parser-simple-tests.py because those tests succeed
> with SignalRule.
>
>
> [ 09-use-SignalRule.diff ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-10-21 22:36:34.763596559 +0200
> +++ utils/apparmor/aa.py        2015-10-22 23:42:25.162303886 +0200
> @@ -47,7 +47,7 @@
>                              RE_PROFILE_BARE_FILE_ENTRY,
> RE_PROFILE_PATH_ENTRY,
>                              RE_PROFILE_CHANGE_HAT,
>                              RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS,
> RE_PROFILE_MOUNT,
> -                            RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE,
> RE_PROFILE_PIVOT_ROOT,
> +                            RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
>                              RE_PROFILE_UNIX, RE_RULE_HAS_COMMA,
> RE_HAS_COMMENT_SPLIT,
>                              strip_quotes, parse_profile_start_line,
> re_match_include )
>
> @@ -57,6 +57,7 @@
>  from apparmor.rule.change_profile import ChangeProfileRuleset,
> ChangeProfileRule
>  from apparmor.rule.network    import NetworkRuleset,    NetworkRule
>  from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule
> +from apparmor.rule.signal     import SignalRuleset,    SignalRule
>  from apparmor.rule import parse_modifiers, quote_if_needed
>
>  from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
> @@ -463,11 +464,11 @@
>      profile['change_profile']   = ChangeProfileRuleset()
>      profile['network']          = NetworkRuleset()
>      profile['rlimit']           = RlimitRuleset()
> +    profile['signal']           = SignalRuleset()
>
>      profile['allow']['path'] = hasher()
>      profile['allow']['dbus'] = list()
>      profile['allow']['mount'] = list()
> -    profile['allow']['signal'] = list()
>      profile['allow']['ptrace'] = list()
>      profile['allow']['pivot_root'] = list()
>
> @@ -2919,27 +2921,11 @@
>              mount_rules.append(mount_rule)
>              profile_data[profile][hat][allow]['mount'] = mount_rules
>
> -        elif RE_PROFILE_SIGNAL.search(line):
> -            matches = RE_PROFILE_SIGNAL.search(line).groups()
> -
> +        elif SignalRule.match(line):
>              if not profile:
>                  raise AppArmorException(_('Syntax Error: Unexpected
> signal entry found in file: %(file)s line: %(line)s') % { 'file': file,
> 'line': lineno + 1 })
>
> -            audit = False
> -            if matches[0]:
> -                audit = True
> -            allow = 'allow'
> -            if matches[1] and matches[1].strip() == 'deny':
> -                allow = 'deny'
> -            signal = matches[2].strip()
> -
> -            signal_rule = parse_signal_rule(signal)
> -            signal_rule.audit = audit
> -            signal_rule.deny = (allow == 'deny')
> -
> -            signal_rules =
> profile_data[profile][hat][allow].get('signal', list())
> -            signal_rules.append(signal_rule)
> -            profile_data[profile][hat][allow]['signal'] = signal_rules
> +
> profile_data[profile][hat]['signal'].add(SignalRule.parse(line))
>
>          elif RE_PROFILE_PTRACE.search(line):
>              matches = RE_PROFILE_PTRACE.search(line).groups()
> @@ -3106,10 +3092,6 @@
>      # XXX Do real parsing here
>      return aarules.Raw_Mount_Rule(line)
>
> -def parse_signal_rule(line):
> -    # XXX Do real parsing here
> -    return aarules.Raw_Signal_Rule(line)
> -
>  def parse_ptrace_rule(line):
>      # XXX Do real parsing here
>      return aarules.Raw_Ptrace_Rule(line)
> @@ -3312,22 +3294,10 @@
>      data += write_mount_rules(prof_data, depth, 'allow')
>      return data
>
> -def write_signal_rules(prof_data, depth, allow):
> -    pre = '  ' * depth
> -    data = []
> -
> -    # no signal rules, so return
> -    if not prof_data[allow].get('signal', False):
> -        return data
> -
> -    for signal_rule in prof_data[allow]['signal']:
> -        data.append('%s%s' % (pre, signal_rule.serialize()))
> -    data.append('')
> -    return data
> -
>  def write_signal(prof_data, depth):
> -    data = write_signal_rules(prof_data, depth, 'deny')
> -    data += write_signal_rules(prof_data, depth, 'allow')
> +    data = []
> +    if prof_data.get('signal', False):
> +        data = prof_data['signal'].get_clean(depth)
>      return data
>
>  def write_ptrace_rules(prof_data, depth, allow):
> === modified file ./utils/apparmor/rules.py
> --- utils/apparmor/rules.py     2014-12-17 00:54:04.150444000 +0100
> +++ utils/apparmor/rules.py     2015-10-22 23:39:29.592585653 +0200
> @@ -71,9 +71,6 @@
>  class Raw_Mount_Rule(_Raw_Rule):
>      pass
>
> -class Raw_Signal_Rule(_Raw_Rule):
> -    pass
> -
>  class Raw_Ptrace_Rule(_Raw_Rule):
>      pass
>
> === modified file ./utils/test/test-parser-simple-tests.py
> --- utils/test/test-parser-simple-tests.py      2015-10-20
> 23:43:11.058010000 +0200
> +++ utils/test/test-parser-simple-tests.py      2015-10-23
> 01:09:18.228609114 +0200
> @@ -134,27 +134,7 @@
>      'ptrace/bad_07.sd',
>      'ptrace/bad_08.sd',
>      'ptrace/bad_10.sd',
> -    'signal/bad_01.sd',
> -    'signal/bad_02.sd',
> -    'signal/bad_03.sd',
> -    'signal/bad_04.sd',
> -    'signal/bad_05.sd',
> -    'signal/bad_06.sd',
> -    'signal/bad_07.sd',
> -    'signal/bad_08.sd',
> -    'signal/bad_09.sd',
> -    'signal/bad_10.sd',
> -    'signal/bad_11.sd',
> -    'signal/bad_12.sd',
> -    'signal/bad_13.sd',
> -    'signal/bad_14.sd',
> -    'signal/bad_15.sd',
> -    'signal/bad_16.sd',
> -    'signal/bad_17.sd',
> -    'signal/bad_18.sd',
> -    'signal/bad_19.sd',
> -    'signal/bad_20.sd',
> -    'signal/bad_21.sd',
> +    'signal/bad_21.sd',  # invalid regex
>      'unix/bad_attr_1.sd',
>      'unix/bad_attr_2.sd',
>      'unix/bad_attr_3.sd',
>
> Its so nice to see much of this code finally removed, with the new class
based rules.

Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>


> Regards,
>
> Christian Boltz
> --
> Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version
> bestimmen können... ;)        [Patrick Ben Koetter in postfixbuch-users]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>



-- 
Regards,

Kshitij Gupta



-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151119/09845a1b/attachment.html>

More information about the AppArmor mailing list