[apparmor] [patch] Change aa.py to use SignalRule and SignalRuleset
Christian Boltz
apparmor at cboltz.de
Fri Oct 23 13:21:04 UTC 2015
Hello,
this patch changes aa.py to use SignalRule and SignalRuleset.
This means:
- import the classes instead of RE_PROFILE_SIGNAL
- simplify signal rule parsing a lot
- drop the (now unused) functions parse_signal_rule() and write_signal_rules()
- change write_signal() to use the SignalRuleset class
Also drop the now unused Raw_Signal_Rule from rules.py.
Finally, drop most parser signal tests from the "known wrong results"
blacklist in test-parser-simple-tests.py because those tests succeed
with SignalRule.
[ 09-use-SignalRule.diff ]
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-10-21 22:36:34.763596559 +0200
+++ utils/apparmor/aa.py 2015-10-22 23:42:25.162303886 +0200
@@ -47,7 +47,7 @@
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
RE_PROFILE_CHANGE_HAT,
RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
- RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
+ RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
strip_quotes, parse_profile_start_line, re_match_include )
@@ -57,6 +57,7 @@
from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
from apparmor.rule.network import NetworkRuleset, NetworkRule
from apparmor.rule.rlimit import RlimitRuleset, RlimitRule
+from apparmor.rule.signal import SignalRuleset, SignalRule
from apparmor.rule import parse_modifiers, quote_if_needed
from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
@@ -463,11 +464,11 @@
profile['change_profile'] = ChangeProfileRuleset()
profile['network'] = NetworkRuleset()
profile['rlimit'] = RlimitRuleset()
+ profile['signal'] = SignalRuleset()
profile['allow']['path'] = hasher()
profile['allow']['dbus'] = list()
profile['allow']['mount'] = list()
- profile['allow']['signal'] = list()
profile['allow']['ptrace'] = list()
profile['allow']['pivot_root'] = list()
@@ -2919,27 +2921,11 @@
mount_rules.append(mount_rule)
profile_data[profile][hat][allow]['mount'] = mount_rules
- elif RE_PROFILE_SIGNAL.search(line):
- matches = RE_PROFILE_SIGNAL.search(line).groups()
-
+ elif SignalRule.match(line):
if not profile:
raise AppArmorException(_('Syntax Error: Unexpected signal entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
- audit = False
- if matches[0]:
- audit = True
- allow = 'allow'
- if matches[1] and matches[1].strip() == 'deny':
- allow = 'deny'
- signal = matches[2].strip()
-
- signal_rule = parse_signal_rule(signal)
- signal_rule.audit = audit
- signal_rule.deny = (allow == 'deny')
-
- signal_rules = profile_data[profile][hat][allow].get('signal', list())
- signal_rules.append(signal_rule)
- profile_data[profile][hat][allow]['signal'] = signal_rules
+ profile_data[profile][hat]['signal'].add(SignalRule.parse(line))
elif RE_PROFILE_PTRACE.search(line):
matches = RE_PROFILE_PTRACE.search(line).groups()
@@ -3106,10 +3092,6 @@
# XXX Do real parsing here
return aarules.Raw_Mount_Rule(line)
-def parse_signal_rule(line):
- # XXX Do real parsing here
- return aarules.Raw_Signal_Rule(line)
-
def parse_ptrace_rule(line):
# XXX Do real parsing here
return aarules.Raw_Ptrace_Rule(line)
@@ -3312,22 +3294,10 @@
data += write_mount_rules(prof_data, depth, 'allow')
return data
-def write_signal_rules(prof_data, depth, allow):
- pre = ' ' * depth
- data = []
-
- # no signal rules, so return
- if not prof_data[allow].get('signal', False):
- return data
-
- for signal_rule in prof_data[allow]['signal']:
- data.append('%s%s' % (pre, signal_rule.serialize()))
- data.append('')
- return data
-
def write_signal(prof_data, depth):
- data = write_signal_rules(prof_data, depth, 'deny')
- data += write_signal_rules(prof_data, depth, 'allow')
+ data = []
+ if prof_data.get('signal', False):
+ data = prof_data['signal'].get_clean(depth)
return data
def write_ptrace_rules(prof_data, depth, allow):
=== modified file ./utils/apparmor/rules.py
--- utils/apparmor/rules.py 2014-12-17 00:54:04.150444000 +0100
+++ utils/apparmor/rules.py 2015-10-22 23:39:29.592585653 +0200
@@ -71,9 +71,6 @@
class Raw_Mount_Rule(_Raw_Rule):
pass
-class Raw_Signal_Rule(_Raw_Rule):
- pass
-
class Raw_Ptrace_Rule(_Raw_Rule):
pass
=== modified file ./utils/test/test-parser-simple-tests.py
--- utils/test/test-parser-simple-tests.py 2015-10-20 23:43:11.058010000 +0200
+++ utils/test/test-parser-simple-tests.py 2015-10-23 01:09:18.228609114 +0200
@@ -134,27 +134,7 @@
'ptrace/bad_07.sd',
'ptrace/bad_08.sd',
'ptrace/bad_10.sd',
- 'signal/bad_01.sd',
- 'signal/bad_02.sd',
- 'signal/bad_03.sd',
- 'signal/bad_04.sd',
- 'signal/bad_05.sd',
- 'signal/bad_06.sd',
- 'signal/bad_07.sd',
- 'signal/bad_08.sd',
- 'signal/bad_09.sd',
- 'signal/bad_10.sd',
- 'signal/bad_11.sd',
- 'signal/bad_12.sd',
- 'signal/bad_13.sd',
- 'signal/bad_14.sd',
- 'signal/bad_15.sd',
- 'signal/bad_16.sd',
- 'signal/bad_17.sd',
- 'signal/bad_18.sd',
- 'signal/bad_19.sd',
- 'signal/bad_20.sd',
- 'signal/bad_21.sd',
+ 'signal/bad_21.sd', # invalid regex
'unix/bad_attr_1.sd',
'unix/bad_attr_2.sd',
'unix/bad_attr_3.sd',
Regards,
Christian Boltz
--
Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version
bestimmen können... ;) [Patrick Ben Koetter in postfixbuch-users]
More information about the AppArmor
mailing list