Hello,
change hat declarations ("^hat,") are no longer supported (see patch 46
for details). Therefore remove support for writing them.
This also means to completely remove the 'declared' flag, which was only
needed for hat declarations, and was (after applying patch 46) always
set to False.
Also add a hat to the cleanprof_test.{in,out} test profile to make sure
aa-cleanprof doesn't break hats.
(This is "just" a cleanup, so trunk only)
[ 47-remove-support-for-writing-hat-declarations.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-06-07 14:09:36.000405129 +0200
+++ utils/apparmor/aa.py 2015-06-07 14:32:03.483282738 +0200
@@ -108,7 +108,7 @@
# a) rules (as dict): alias, include, lvar
# b) rules (as hasher): allow, deny
# c) one for each rule class
-# d) other: declared, external, flags, name, profile, attachment,
initial_comment,
+# d) other: external, flags, name, profile, attachment, initial_comment,
# profile_keyword, header_comment (these two are currently only set
by set_profile_flags())
aa = hasher() # Profiles originally in sd, replace by aa
original_aa = hasher()
@@ -1442,7 +1442,6 @@
ynans = aaui.UI_YesNo(_('A profile for %s does
not exist.\nDo you want to create one?') % exec_target, 'n')
if ynans == 'y':
hat = exec_target
- aa[profile][hat]['declared'] = False
aa[profile][hat]['profile'] = True
if profile != hat:
@@ -3007,7 +3006,6 @@
flags = matches.group('flags')
profile_data[profile][hat]['flags'] = flags
- profile_data[profile][hat]['declared'] = False
#profile_data[profile][hat]['allow']['path'] = hasher()
#profile_data[profile][hat]['allow']['netdomain'] = hasher()
@@ -3473,15 +3471,11 @@
data += write_rules(profile_data[name], depth + 1)
pre2 = ' ' * (depth + 1)
- # External hat declarations
- for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
- if profile_data[hat].get('declared', False):
- data.append('%s^%s,' % (pre2, hat))
if not inhat:
# Embedded hats
for hat in list(filter(lambda x: x != name,
sorted(profile_data.keys()))):
- if not profile_data[hat]['external'] and not
profile_data[hat]['declared']:
+ if not profile_data[hat]['external']:
data.append('')
if profile_data[hat]['profile']:
data += list(map(str, write_header(profile_data[hat],
depth + 1, hat, True, write_flags)))
@@ -3730,7 +3724,7 @@
depth = int((len(line) - len(line.lstrip())) / 2)
pre2 = ' ' * (depth + 1)
for hat in list(filter(lambda x: x != name,
sorted(profile_data.keys()))):
- if not profile_data[hat]['external'] and not
profile_data[hat]['declared']:
+ if not profile_data[hat]['external']:
data.append('')
if profile_data[hat]['profile']:
data += list(map(str,
write_header(profile_data[hat], depth + 1, hat, True, include_flags)))
@@ -3990,16 +3984,9 @@
data.append(line)
elif RE_PROFILE_CHANGE_HAT.search(line):
- matches = RE_PROFILE_CHANGE_HAT.search(line).groups()
- hat = matches[0]
- hat = strip_quotes(hat)
- if not write_prof_data[hat]['declared']:
- correct = False
- if correct:
- data.append(line)
- else:
- #To-Do
- pass
+ # "^hat," declarations are no longer supported, ignore them
and don't write out the line
+ # (parse_profile_data() already prints a warning about that)
+ pass
elif RE_PROFILE_HAT_DEF.search(line):
matches = RE_PROFILE_HAT_DEF.search(line)
in_contained_hat = True
@@ -4009,8 +3996,6 @@
if not write_prof_data[hat]['flags'] == flags:
correct = False
- if not write_prof_data[hat]['declared'] is False:
- correct = False
if not write_filelist['profile'][profile][hat]:
correct = False
if correct:
=== modified file utils/test/cleanprof_test.in
--- utils/test/cleanprof_test.in 2015-05-25 17:30:59.798783638 +0200
+++ utils/test/cleanprof_test.in 2015-06-07 14:45:06.807307887 +0200
@@ -7,6 +7,12 @@
#Below rule comes from abstractions/base
allow /usr/share/X11/locale/** r,
allow /home/*/** r,
+
+ ^foo {
+ /etc/fstab r,
+ capability dac_override,
+ }
+
allow /home/foo/bar r,
allow /home/foo/** w,
}
=== modified file utils/test/cleanprof_test.out
--- utils/test/cleanprof_test.out 2015-05-25 17:30:59.798783638 +0200
+++ utils/test/cleanprof_test.out 2015-06-07 14:46:15.334296605 +0200
@@ -9,6 +9,13 @@
/home/*/** r,
/home/foo/** w,
+
+ ^foo {
+ capability dac_override,
+
+ /etc/fstab r,
+
+ }
}
/usr/bin/other/cleanprof/test/profile {
/home/*/** rw,
Regards,
Christian Boltz
--
IT is everything that is more complicated than pushing buttons in
the elevator. [from http://www.orkpiraten.de/blog/ugly-kid-jeans]
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
