[apparmor] [patch] [35/38] Drop old path code from aa.py and aa-mergeprof
Christian Boltz
apparmor at cboltz.de
Fri Aug 12 21:06:58 UTC 2016
Hello,
$subject ;-)
[ 35-drop-old-path-code.diff ]
=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof 2016-05-26 23:58:03.998344576 +0200
+++ utils/aa-mergeprof 2016-05-27 00:30:32.209199179 +0200
@@ -14,7 +14,6 @@
#
# ----------------------------------------------------------------------
import argparse
-import re
import os
import apparmor.aa
@@ -321,322 +321,6 @@ class Merge(object):
elif ans == 'CMD_FINISHED':
return
- # Process all the path entries.
- for allow in ['allow', 'deny']:
- if False: # XXX
- #for path in sorted(other.aa[profile][hat][allow]['path'].keys()):
- path = None # XXX needed to keep 'make check' happy
- #print(path, other.aa[profile][hat][allow]['path'][path])
- mode = other.aa[profile][hat][allow]['path'][path]['mode']
-
- if aa[profile][hat][allow]['path'].get(path, False):
- mode = self.conflict_mode(profile, hat, allow, path, 'mode', other.aa[profile][hat][allow]['path'][path]['mode'], aa[profile][hat][allow]['path'][path]['mode'])
- self.conflict_mode(profile, hat, allow, path, 'audit', other.aa[profile][hat][allow]['path'][path]['audit'], aa[profile][hat][allow]['path'][path]['audit'])
- changed[profile] = True
- continue
- # Lookup modes from profile
- allow_mode = set()
- allow_audit = set()
- deny_mode = set()
- deny_audit = set()
-
- fmode, famode, fm = apparmor.aa.rematchfrag(aa[profile][hat], 'allow', path)
- if fmode:
- allow_mode |= fmode
- if famode:
- allow_audit |= famode
-
- cm, cam, m = apparmor.aa.rematchfrag(aa[profile][hat], 'deny', path)
- if cm:
- deny_mode |= cm
- if cam:
- deny_audit |= cam
-
- imode, iamode, im = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'allow', path)
- if imode:
- allow_mode |= imode
- if iamode:
- allow_audit |= iamode
-
- cm, cam, m = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'deny', path)
- if cm:
- deny_mode |= cm
- if cam:
- deny_audit |= cam
-
- if deny_mode & apparmor.aamode.AA_MAY_EXEC:
- deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE
-
- # Mask off the denied modes
- mode = mode - deny_mode
-
- # If we get an exec request from some kindof event that generates 'PERMITTING X'
- # check if its already in allow_mode
- # if not add ix permission
- if mode & apparmor.aamode.AA_MAY_EXEC:
- # Remove all type access permission
- mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE
- if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
- mode |= apparmor.aa.str_to_mode('ix')
-
- if not mode:
- continue
-
- matches = []
-
- if fmode:
- matches += fm
-
- if imode:
- matches += im
-
- if not apparmor.aa.mode_contains(allow_mode, mode):
- default_option = 1
- options = []
- newincludes = []
- include_valid = False
-
- for incname in apparmor.aa.include.keys():
- include_valid = False
- # If already present skip
- if aa[profile][hat][incname]:
- continue
- if incname.startswith(apparmor.aa.profile_dir):
- incname = incname.replace(apparmor.aa.profile_dir+'/', '', 1)
-
- include_valid = apparmor.aa.valid_include('', incname)
-
- if not include_valid:
- continue
-
- cm, am, m = apparmor.aa.match_include_to_path(incname, 'allow', path)
-
- if cm and apparmor.aa.mode_contains(cm, mode):
- dm = apparmor.aa.match_include_to_path(incname, 'deny', path)[0]
- # If the mode is denied
- if not mode & dm:
- if not list(filter(lambda s: '/**' == s, m)):
- newincludes.append(incname)
- # Add new includes to the options
- if newincludes:
- options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))
- # We should have literal the path in options list too
- options.append(path)
- # Add any the globs matching path from logprof
- globs = apparmor.aa.glob_common(path)
- if globs:
- matches += globs
- # Add any user entered matching globs
- for user_glob in apparmor.aa.user_globs:
- if apparmor.aa.matchliteral(user_glob, path):
- matches.append(user_glob)
-
- matches = list(set(matches))
- if path in matches:
- matches.remove(path)
-
- options += apparmor.aa.order_globs(matches, path)
- default_option = len(options)
-
- sev_db.unload_variables()
- sev_db.load_variables(apparmor.aa.get_profile_filename(profile))
- severity = sev_db.rank(path, apparmor.aa.mode_to_str(mode))
- sev_db.unload_variables()
-
- audit_toggle = 0
- owner_toggle = 0
- if apparmor.aa.cfg['settings']['default_owner_prompt']:
- owner_toggle = apparmor.aa.cfg['settings']['default_owner_prompt']
- done = False
- while not done:
- q = aaui.PromptQuestion()
- q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat),
- _('Path'), path]
-
- if allow_mode:
- mode |= allow_mode
- tail = ''
- s = ''
- prompt_mode = None
- if owner_toggle == 0:
- prompt_mode = apparmor.aa.flatten_mode(mode)
- tail = ' ' + _('(owner permissions off)')
- elif owner_toggle == 1:
- prompt_mode = mode
- elif owner_toggle == 2:
- prompt_mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode)
- tail = ' ' + _('(force new perms to owner)')
- else:
- prompt_mode = apparmor.aa.owner_flatten_mode(mode)
- tail = ' ' + _('(force all rule perms to owner)')
-
- if audit_toggle == 1:
- s = apparmor.aa.mode_to_str_user(allow_mode)
- if allow_mode:
- s += ', '
- s += 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode - allow_mode) + tail
- elif audit_toggle == 2:
- s = 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode) + tail
- else:
- s = apparmor.aa.mode_to_str_user(prompt_mode) + tail
-
- q.headers += [_('Old Mode'), apparmor.aa.mode_to_str_user(allow_mode),
- _('New Mode'), s]
-
- else:
- s = ''
- tail = ''
- prompt_mode = None
- if audit_toggle:
- s = 'audit'
- if owner_toggle == 0:
- prompt_mode = apparmor.aa.flatten_mode(mode)
- tail = ' ' + _('(owner permissions off)')
- elif owner_toggle == 1:
- prompt_mode = mode
- else:
- prompt_mode = apparmor.aa.owner_flatten_mode(mode)
- tail = ' ' + _('(force perms to owner)')
-
- s = apparmor.aa.mode_to_str_user(prompt_mode)
- q.headers += [_('Mode'), s]
-
- q.headers += [_('Severity'), severity]
- q.options = options
- q.selected = default_option - 1
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB',
- 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT',
- 'CMD_FINISHED', 'CMD_OTHER']
-
- q.default = 'CMD_ALLOW'
-
-
- ans, selected = q.promptUser()
-
- if ans == 'CMD_IGNORE_ENTRY':
- done = True
- break
-
- elif ans == 'CMD_FINISHED':
- return
-
- if ans == 'CMD_OTHER':
- aaui.UI_Important("Sorry, not implemented yet!")
- # audit_toggle, owner_toggle = aaui.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
-# crashes with
-# audit_toggle, owner_toggle = aaui.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
-# AttributeError: 'module' object has no attribute 'UI_ask_mode_toggles'
- elif ans == 'CMD_USER_TOGGLE':
- owner_toggle += 1
- if not allow_mode and owner_toggle == 2:
- owner_toggle += 1
- if owner_toggle > 3:
- owner_toggle = 0
- elif ans == 'CMD_ALLOW':
- path = options[selected]
- done = True
- match = re_match_include(path)
- if match:
- inc = match
- deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc)
- aa[profile][hat]['include'][inc] = True
- changed[profile] = True
- aaui.UI_Info(_('Adding %s to profile.') % path)
- if deleted:
- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
- else:
- if aa[profile][hat]['allow']['path'][path].get('mode', False):
- mode |= aa[profile][hat]['allow']['path'][path]['mode']
- deleted = []
- for entry in aa[profile][hat]['allow']['path'].keys():
- if path == entry:
- continue
-
- if apparmor.aa.matchregexp(path, entry):
- if apparmor.aa.mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']):
- deleted.append(entry)
- for entry in deleted:
- aa[profile][hat]['allow']['path'].pop(entry)
- deleted = len(deleted)
-
- if owner_toggle == 0:
- mode = apparmor.aa.flatten_mode(mode)
- #elif owner_toggle == 1:
- # mode = mode
- elif owner_toggle == 2:
- mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode)
- elif owner_toggle == 3:
- mode = apparmor.aa.owner_flatten_mode(mode)
-
- if not aa[profile][hat]['allow'].get(path, False):
- aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
-
-
- tmpmode = set()
- if audit_toggle == 1:
- tmpmode = mode - allow_mode
- elif audit_toggle == 2:
- tmpmode = mode
-
- aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
-
- changed[profile] = True
-
- aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': apparmor.aa.mode_to_str_user(mode) })
- if deleted:
- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
- elif ans == 'CMD_DENY':
- path = options[selected].strip()
- # Add new entry?
- aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
-
- aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set())
-
- changed[profile] = True
-
- done = True
-
- elif ans == 'CMD_NEW':
- arg = options[selected]
- if not re_match_include(arg):
- ans = aaui.UI_GetString(_('Enter new path: '), arg)
-# if ans:
-# if not matchliteral(ans, path):
-# ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %s\n Entered Path: %s\nDo you really want to use this path?') % (path,ans)
-# key = aaui.UI_YesNo(ynprompt, 'n')
-# if key == 'n':
-# continue
- apparmor.aa.user_globs.append(ans)
- options.append(ans)
- default_option = len(options)
-
- elif ans == 'CMD_GLOB':
- newpath = options[selected].strip()
- if not re_match_include(newpath):
- newpath = apparmor.aa.glob_path(newpath)
-
- if newpath not in options:
- options.append(newpath)
- default_option = len(options)
- else:
- default_option = options.index(newpath) + 1
-
- elif ans == 'CMD_GLOBEXT':
- newpath = options[selected].strip()
- if not re_match_include(newpath):
- newpath = apparmor.aa.glob_path_withext(newpath)
-
- if newpath not in options:
- options.append(newpath)
- default_option = len(options)
- else:
- default_option = options.index(newpath) + 1
-
- elif re.search('\d', ans):
- default_option = ans
-
# check for and ask about conflicting exec modes
self.ask_conflict_mode(profile, hat, aa[profile][hat], other.aa[profile][hat])
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py 2016-05-26 23:58:04.002344556 +0200
+++ utils/apparmor/aa.py 2016-05-27 00:39:46.450318248 +0200
@@ -38,9 +38,7 @@
import apparmor.ui as aaui
-from apparmor.aamode import (str_to_mode, mode_to_str,
- mode_to_str_user, mode_contains, split_mode,
- flatten_mode, owner_flatten_mode)
+from apparmor.aamode import str_to_mode, mode_contains, split_mode
from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
RE_PROFILE_ALIAS,
@@ -1718,303 +1718,5 @@
return new_options
-
-def ask_the_questions_OLD_FILE_CODE(): # XXX unused
- global seen_events
- # Process all the path entries.
- for path in sorted(log_dict[aamode][profile][hat]['allow']['path'].keys()):
- mode = log_dict[aamode][profile][hat]['allow']['path'][path]
- # Lookup modes from profile
- allow_mode = set()
- allow_audit = set()
- deny_mode = set()
- deny_audit = set()
-
- fmode, famode, fm = rematchfrag(aa[profile][hat], 'allow', path)
- if fmode:
- allow_mode |= fmode
- if famode:
- allow_audit |= famode
-
- cm, cam, m = rematchfrag(aa[profile][hat], 'deny', path)
- if cm:
- deny_mode |= cm
- if cam:
- deny_audit |= cam
-
- imode, iamode, im = match_prof_incs_to_path(aa[profile][hat], 'allow', path)
- if imode:
- allow_mode |= imode
- if iamode:
- allow_audit |= iamode
-
- cm, cam, m = match_prof_incs_to_path(aa[profile][hat], 'deny', path)
- if cm:
- deny_mode |= cm
- if cam:
- deny_audit |= cam
-
- if deny_mode & apparmor.aamode.AA_MAY_EXEC:
- deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE
-
- # Mask off the denied modes
- mode = mode - deny_mode
-
- # If we get an exec request from some kindof event that generates 'PERMITTING X'
- # check if its already in allow_mode
- # if not add ix permission
- if mode & apparmor.aamode.AA_MAY_EXEC:
- # Remove all type access permission
- mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE
- if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
- mode |= str_to_mode('ix')
-
- if not mode:
- continue
-
- matches = []
-
- if fmode:
- matches += fm
-
- if imode:
- matches += im
-
- if not mode_contains(allow_mode, mode):
- default_option = 1
- options = []
- newincludes = []
- include_valid = False
-
- for incname in include.keys():
- include_valid = False
- # If already present skip
- if aa[profile][hat]['include'].get(incname, False):
- continue
- if incname.startswith(profile_dir):
- incname = incname.replace(profile_dir + '/', '', 1)
-
- include_valid = valid_include('', incname)
-
- if not include_valid:
- continue
-
- cm, am, m = match_include_to_path(incname, 'allow', path)
-
- if cm and mode_contains(cm, mode):
- dm = match_include_to_path(incname, 'deny', path)[0]
- # If the mode is denied
- if not mode & dm:
- if not list(filter(lambda s: '/**' == s, m)):
- newincludes.append(incname)
- # Add new includes to the options
- if newincludes:
- options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))
- # We should have literal the path in options list too
- options.append(path)
- # Add any the globs matching path from logprof
- globs = glob_common(path)
- if globs:
- matches += globs
- # Add any user entered matching globs
- for user_glob in user_globs:
- if matchliteral(user_glob, path):
- matches.append(user_glob)
-
- matches = list(set(matches))
- if path in matches:
- matches.remove(path)
-
- options += order_globs(matches, path)
- default_option = len(options)
-
- sev_db.unload_variables()
- sev_db.load_variables(get_profile_filename(profile))
- severity = sev_db.rank(path, mode_to_str(mode))
- sev_db.unload_variables()
-
- audit_toggle = 0
- owner_toggle = 0
- if cfg['settings']['default_owner_prompt']:
- owner_toggle = cfg['settings']['default_owner_prompt']
- done = False
- while not done:
- q = aaui.PromptQuestion()
- q.headers = [_('Profile'), combine_name(profile, hat),
- _('Path'), path]
-
- if allow_mode:
- mode |= allow_mode
- tail = ''
- s = ''
- prompt_mode = None
- if owner_toggle == 0:
- prompt_mode = flatten_mode(mode)
- tail = ' ' + _('(owner permissions off)')
- elif owner_toggle == 1:
- prompt_mode = mode
- elif owner_toggle == 2:
- prompt_mode = allow_mode | owner_flatten_mode(mode - allow_mode)
- tail = ' ' + _('(force new perms to owner)')
- else:
- prompt_mode = owner_flatten_mode(mode)
- tail = ' ' + _('(force all rule perms to owner)')
-
- if audit_toggle == 1:
- s = mode_to_str_user(allow_mode)
- if allow_mode:
- s += ', '
- s += 'audit ' + mode_to_str_user(prompt_mode - allow_mode) + tail
- elif audit_toggle == 2:
- s = 'audit ' + mode_to_str_user(prompt_mode) + tail
- else:
- s = mode_to_str_user(prompt_mode) + tail
-
- q.headers += [_('Old Mode'), mode_to_str_user(allow_mode),
- _('New Mode'), s]
-
- else:
- s = ''
- tail = ''
- prompt_mode = None
- if audit_toggle:
- s = 'audit'
- if owner_toggle == 0:
- prompt_mode = flatten_mode(mode)
- tail = ' ' + _('(owner permissions off)')
- elif owner_toggle == 1:
- prompt_mode = mode
- else:
- prompt_mode = owner_flatten_mode(mode)
- tail = ' ' + _('(force perms to owner)')
-
- s = mode_to_str_user(prompt_mode)
- q.headers += [_('Mode'), s]
-
- q.headers += [_('Severity'), severity]
- q.options = options
- q.selected = default_option - 1
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB',
- 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT',
- 'CMD_FINISHED', 'CMD_OTHER']
- q.default = 'CMD_DENY'
- if aamode == 'PERMITTING':
- q.default = 'CMD_ALLOW'
-
- seen_events += 1
-
- ans, selected = q.promptUser()
-
- if ans == 'CMD_FINISHED':
- save_profiles()
- return
-
- if ans == 'CMD_IGNORE_ENTRY':
- done = True
- break
-
- if ans == 'CMD_OTHER':
- audit_toggle, owner_toggle = UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
- elif ans == 'CMD_USER_TOGGLE':
- owner_toggle += 1
- if not allow_mode and owner_toggle == 2:
- owner_toggle += 1
- if owner_toggle > 3:
- owner_toggle = 0
- elif ans == 'CMD_ALLOW':
- path = options[selected]
- done = True
- match = re_match_include(path) # .search('^#include\s+<(.+)>$', path)
- if match:
- inc = match # .groups()[0]
- deleted = 0
- deleted = delete_duplicates(aa[profile][hat], inc)
- aa[profile][hat]['include'][inc] = True
- changed[profile] = True
- aaui.UI_Info(_('Adding %s to profile.') % path)
- if deleted:
- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
- else:
- if path in aa[profile][hat]['allow']['path']:
- if aa[profile][hat]['allow']['path'][path].get('mode', False):
- mode |= aa[profile][hat]['allow']['path'][path]['mode']
- deleted = []
- for entry in aa[profile][hat]['allow']['path'].keys():
- if path == entry:
- continue
-
- if matchregexp(path, entry):
- if mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']):
- deleted.append(entry)
- for entry in deleted:
- aa[profile][hat]['allow']['path'].pop(entry)
- deleted = len(deleted)
-
- if owner_toggle == 0:
- mode = flatten_mode(mode)
- #elif owner_toggle == 1:
- # mode = mode
- elif owner_toggle == 2:
- mode = allow_mode | owner_flatten_mode(mode - allow_mode)
- elif owner_toggle == 3:
- mode = owner_flatten_mode(mode)
-
- aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
-
- tmpmode = set()
- if audit_toggle == 1:
- tmpmode = mode - allow_mode
- elif audit_toggle == 2:
- tmpmode = mode
-
- aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
-
- changed[profile] = True
-
- aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': mode_to_str_user(mode) })
- if deleted:
- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
- elif ans == 'CMD_DENY':
- path = options[selected].strip()
- # Add new entry?
- aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
-
- aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set())
-
- changed[profile] = True
-
- done = True
-
- elif ans == 'CMD_NEW':
- arg = options[selected]
- if not re_match_include(arg):
- ans = aaui.UI_GetString(_('Enter new path: '), arg)
- if ans:
- if not matchliteral(ans, path):
- ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %(path)s\n Entered Path: %(ans)s\nDo you really want to use this path?') % { 'path': path, 'ans': ans }
- key = aaui.UI_YesNo(ynprompt, 'n')
- if key == 'n':
- continue
-
- user_globs.append(ans)
- options, default_option = add_to_options(options, ans)
-
- elif ans == 'CMD_GLOB':
- newpath = options[selected].strip()
- if not re_match_include(newpath):
- newpath = glob_path(newpath)
- options, default_option = add_to_options(options, newpath)
-
- elif ans == 'CMD_GLOBEXT':
- newpath = options[selected].strip()
- if not re_match_include(newpath):
- newpath = glob_path_withext(newpath)
- options, default_option = add_to_options(options, newpath)
-
- elif re.search('\d', ans):
- default_option = ans
-
def available_buttons(rule_obj):
buttons = []
Regards,
Christian Boltz
--
> cat /inhalt/der/mail | mail -s "mein subject" [...]
Ist der Useless Use of Cat Award diese Woche schon vergeben? ;-)
[> Andreas Feile und Martin Schmitz in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/5407f22c/attachment-0001.pgp>
More information about the AppArmor
mailing list