Hi, On Fri, Sep 26, 2014 at 10:00:33PM +0200, Christian Boltz wrote: > this patch converts RE_PROFILE_CAP in aa.py and the code using it to > named match groups. > > (capability is one of the easiest rule types, so it's good as a start.) > > The patch also adds basic support for rules containing more than one > capability, like > capability chown dac_override, > Note that this is just a pass-through mode (instead of complaining about > an invalid line). aa-logprof will happily add another "capability chown" > if it hits a log entry for it. (But: we never got a bugreport about not > supporting multi-capability lines, so I guess they are rarely used ;-) > > I also added a parse_audit_allow() function to handle the audit and > allow/deny keywords. They are used in most rule types, which means we > can get rid of some duplicated code with this function. > > > Finally, update utils/test/test-regex_matches.py - RE_PROFILE_CAP now > has 5 instead of 4 match groups because of the added multi-capability > support. > > While on it, I also improved the error message in setup_regex_tests() > to also show the rule that causes a problem. > > > Feel free to comment about named match groups and the other changes > introduced with this patch in general. Capability is the "prototype", > similar patches for other rule types will follow sooner or later. > (I won't complain if someone "grabs" one of the rule types so that I > don't have to do everything ;-)
Given how complex the regular expressions we use are, named match groups
I think are a needed improvement, which is my way of saying that I like
the direction.
I'm assuming the patch was pasted into KMail, as it had some problems
applying locally due to a mis-formatting error:
> RE_PROFILE_ALIAS =
> re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
> @@ -2747,22 +2759,18 @@
Also,
> @@ -3216,6 +3224,21 @@
>
> return profile_data
>
> +def parse_audit_allow(matches):
> + audit = False
> + if matches.group('audit'):
> + audit = True
> +
> + allow = 'allow'
> + allow_keyword = False
> + if matches.group('allow'):
> + allow = matches.group('allow').strip()
> + allow_keyword = True
> + if allow != 'allow' and allow != 'deny': # should never happen
> + raise AppArmorException(_("Invalid allow/deny keyword %s" %
> allow))
> +
I'm unclear if the extraneous whitespace (there's 4 spaces in the blank
line above) was due to KMail, or exists in your local modifications,
but if it's the latter, please remove it when committing. Which is
probably a funny way of saying Acked-by: Steve Beattie <[email protected]>.
Thanks!
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
