Hello, On Fri, Jun 5, 2015 at 6:56 PM, Christian Boltz <[email protected]> wrote:
> Hello, > > this patch changes aa.py to use RlimitRule and RlimitRuleset instead of > a sub-hasher to store and write rlimit rules. In detail: > - drop all rlimit rule parsing from parse_profile_data() and > serialize_profile_from_old_profile() - instead, just call > RlimitRule.parse() > - change write_rlimits() to use RlimitRuleset > - add removal of superfluous/duplicate change_profile rules (the old > code didn't do this) > - update the comment about aa[profile][hat] usage - rlimit and > change_profile are no longer dicts. > > Also cleanup RE_PROFILE_RLIMIT in regex.py - the parenthesis around > '<=' are no longer needed. > > > Note: This patch is quite small because aa-logprof doesn't ask for > rlimit rules. > > I tested all changes manually with aa-cleanprof and aa-logprof (adding > some file rules, rlimit rules kept unchanged) > > > [ 44-use-RlimitRule.diff ] > > Thanks for the patch. Looks fine to me. Acked-by: Kshitij Gupta <[email protected]>. === modified file utils/apparmor/aa.py > --- utils/apparmor/aa.py 2015-06-05 14:07:18.252686648 +0200 > +++ utils/apparmor/aa.py 2015-06-05 14:40:18.998189733 +0200 > @@ -41,7 +41,7 @@ > flatten_mode, owner_flatten_mode) > > from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, > RE_PROFILE_LINK, > - RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT, > + RE_PROFILE_ALIAS, > RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, > RE_PROFILE_CONDITIONAL, > RE_PROFILE_CONDITIONAL_VARIABLE, > RE_PROFILE_CONDITIONAL_BOOLEAN, > RE_PROFILE_BARE_FILE_ENTRY, > RE_PROFILE_PATH_ENTRY, > @@ -56,6 +56,7 @@ > from apparmor.rule.capability import CapabilityRuleset, CapabilityRule > from apparmor.rule.change_profile import ChangeProfileRuleset, > ChangeProfileRule > from apparmor.rule.network import NetworkRuleset, NetworkRule > +from apparmor.rule.rlimit import RlimitRuleset, RlimitRule > from apparmor.rule import parse_modifiers, quote_if_needed > > from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast > @@ -104,7 +105,7 @@ > transitions = hasher() > > # keys used in aa[profile][hat]: > -# a) rules (as dict): alias, change_profile, include, lvar, rlimit > +# a) rules (as dict): alias, include, lvar > # b) rules (as hasher): allow, deny > # c) one for each rule class > # d) other: declared, external, flags, name, profile, attachment, > initial_comment, > @@ -2069,6 +2070,7 @@ > deleted += > profile['network'].delete_duplicates(include[incname][incname]['network']) > deleted += > profile['capability'].delete_duplicates(include[incname][incname]['capability']) > deleted += > profile['change_profile'].delete_duplicates(include[incname][incname]['change_profile']) > + deleted += > profile['rlimit'].delete_duplicates(include[incname][incname]['rlimit']) > > deleted += delete_path_duplicates(profile, incname, 'allow') > deleted += delete_path_duplicates(profile, incname, 'deny') > @@ -2077,6 +2079,7 @@ > deleted += > profile['network'].delete_duplicates(filelist[incname][incname]['network']) > deleted += > profile['capability'].delete_duplicates(filelist[incname][incname]['capability']) > deleted += > profile['change_profile'].delete_duplicates(filelist[incname][incname]['change_profile']) > + deleted += > profile['rlimit'].delete_duplicates(filelist[incname][incname]['rlimit']) > > deleted += delete_path_duplicates(profile, incname, 'allow') > deleted += delete_path_duplicates(profile, incname, 'deny') > @@ -2597,6 +2600,7 @@ > > profile_data[profile][hat]['network'] = NetworkRuleset() > profile_data[profile][hat]['change_profile'] = > ChangeProfileRuleset() > + profile_data[profile][hat]['rlimit'] = RlimitRuleset() > profile_data[profile][hat]['allow']['path'] = hasher() > profile_data[profile][hat]['allow']['dbus'] = list() > profile_data[profile][hat]['allow']['mount'] = list() > @@ -2688,16 +2692,15 @@ > filelist[file] = hasher() > filelist[file]['alias'][from_name] = to_name > > - elif RE_PROFILE_RLIMIT.search(line): > - matches = RE_PROFILE_RLIMIT.search(line).groups() > - > + elif RlimitRule.match(line): > if not profile: > raise AppArmorException(_('Syntax Error: Unexpected > rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file, > 'line': lineno + 1 }) > > - from_name = matches[0] > - to_name = matches[2] > + # init rule class (if not done yet) > + if not profile_data[profile][hat].get('rlimit', False): > + profile_data[profile][hat]['rlimit'] = RlimitRuleset() > > - profile_data[profile][hat]['rlimit'][from_name] = to_name > + > profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line)) > > elif RE_PROFILE_BOOLEAN.search(line): > matches = RE_PROFILE_BOOLEAN.search(line) > @@ -3227,7 +3230,10 @@ > return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ', > ',', quote_if_needed) > > def write_rlimits(prof_data, depth): > - return write_pair(prof_data, depth, '', 'rlimit', 'set rlimit ', ' <= > ', ',', quote_if_needed) > + data = [] > + if prof_data.get('rlimit', False): > + data = prof_data['rlimit'].get_clean(depth) > + return data > > def var_transform(ref): > data = [] > @@ -3831,20 +3837,14 @@ > #To-Do > pass > > - elif RE_PROFILE_RLIMIT.search(line): > - matches = RE_PROFILE_RLIMIT.search(line).groups() > + elif RlimitRule.match(line): > + rlimit_obj = RlimitRule.parse(line) > > - from_name = matches[0] > - to_name = matches[2] > - > - if not write_prof_data[hat]['rlimit'][from_name] == > to_name: > - correct = False > - > - if correct: > + if write_prof_data[hat]['rlimit'].is_covered(rlimit_obj, > True, True): > if not segments['rlimit'] and True in > segments.values(): > data += > write_prior_segments(write_prof_data[name], segments, line) > segments['rlimit'] = True > - write_prof_data[hat]['rlimit'].pop(from_name) > + write_prof_data[hat]['rlimit'].delete(rlimit_obj) > data.append(line) > else: > #To-Do > === modified file utils/apparmor/regex.py > --- utils/apparmor/regex.py 2015-06-05 15:11:41.644540358 +0200 > +++ utils/apparmor/regex.py 2015-06-05 15:18:22.489599340 +0200 > @@ -33,7 +33,7 @@ > RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY + > 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL) > RE_PROFILE_LINK = re.compile(RE_AUDIT_DENY + > 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + > RE_COMMA_EOL) > RE_PROFILE_ALIAS = > re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL) > -RE_PROFILE_RLIMIT = > re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*(<=)\s*(?P<value>[^ > ]+)' + RE_COMMA_EOL) > +RE_PROFILE_RLIMIT = > re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*<=\s*(?P<value>[^ ]+)' > + RE_COMMA_EOL) > RE_PROFILE_BOOLEAN = > re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL, > flags=re.IGNORECASE) > RE_PROFILE_VARIABLE = > re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL) > RE_PROFILE_CONDITIONAL = > re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL) > > > Regards, > > Christian Boltz > -- > [von KDE 3.0.0 auf 3.0.1 updaten] > > Wenn KDE 3.0.0 noch immer startet wurde 3.0.1 nicht richtig > > installiert würde ich mal behaupten :) > newer version, bla bla. Aber eben nicht bei "base" > naja. Ich habe nun gemerkt, daß es garnicht installiert wurde. [...] > Ich DAKU (dümmster anzunehmender KDE Updater) > [> Matthias Hentges und Stefan Onken in suse-linux] > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor > -- Regards, Kshitij Gupta
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
