Accidentally hit reply instead of reply all. Lets see if this goes through.
On Thu, Nov 19, 2015 at 3:50 AM, Kshitij Gupta <[email protected]> wrote: > > > On Fri, Oct 23, 2015 at 6:51 PM, Christian Boltz <[email protected]> > wrote: > >> Hello, >> >> this patch changes aa.py to use SignalRule and SignalRuleset. >> >> This means: >> - import the classes instead of RE_PROFILE_SIGNAL >> - simplify signal rule parsing a lot >> - drop the (now unused) functions parse_signal_rule() and >> write_signal_rules() >> - change write_signal() to use the SignalRuleset class >> >> Also drop the now unused Raw_Signal_Rule from rules.py. >> >> Finally, drop most parser signal tests from the "known wrong results" >> blacklist in test-parser-simple-tests.py because those tests succeed >> with SignalRule. >> >> >> [ 09-use-SignalRule.diff ] >> >> === modified file ./utils/apparmor/aa.py >> --- utils/apparmor/aa.py 2015-10-21 22:36:34.763596559 +0200 >> +++ utils/apparmor/aa.py 2015-10-22 23:42:25.162303886 +0200 >> @@ -47,7 +47,7 @@ >> RE_PROFILE_BARE_FILE_ENTRY, >> RE_PROFILE_PATH_ENTRY, >> RE_PROFILE_CHANGE_HAT, >> RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, >> RE_PROFILE_MOUNT, >> - RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE, >> RE_PROFILE_PIVOT_ROOT, >> + RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT, >> RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, >> RE_HAS_COMMENT_SPLIT, >> strip_quotes, parse_profile_start_line, >> re_match_include ) >> >> @@ -57,6 +57,7 @@ >> from apparmor.rule.change_profile import ChangeProfileRuleset, >> ChangeProfileRule >> from apparmor.rule.network import NetworkRuleset, NetworkRule >> from apparmor.rule.rlimit import RlimitRuleset, RlimitRule >> +from apparmor.rule.signal import SignalRuleset, SignalRule >> from apparmor.rule import parse_modifiers, quote_if_needed >> >> from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast >> @@ -463,11 +464,11 @@ >> profile['change_profile'] = ChangeProfileRuleset() >> profile['network'] = NetworkRuleset() >> profile['rlimit'] = RlimitRuleset() >> + profile['signal'] = SignalRuleset() >> >> profile['allow']['path'] = hasher() >> profile['allow']['dbus'] = list() >> profile['allow']['mount'] = list() >> - profile['allow']['signal'] = list() >> profile['allow']['ptrace'] = list() >> profile['allow']['pivot_root'] = list() >> >> @@ -2919,27 +2921,11 @@ >> mount_rules.append(mount_rule) >> profile_data[profile][hat][allow]['mount'] = mount_rules >> >> - elif RE_PROFILE_SIGNAL.search(line): >> - matches = RE_PROFILE_SIGNAL.search(line).groups() >> - >> + elif SignalRule.match(line): >> if not profile: >> raise AppArmorException(_('Syntax Error: Unexpected >> signal entry found in file: %(file)s line: %(line)s') % { 'file': file, >> 'line': lineno + 1 }) >> >> - audit = False >> - if matches[0]: >> - audit = True >> - allow = 'allow' >> - if matches[1] and matches[1].strip() == 'deny': >> - allow = 'deny' >> - signal = matches[2].strip() >> - >> - signal_rule = parse_signal_rule(signal) >> - signal_rule.audit = audit >> - signal_rule.deny = (allow == 'deny') >> - >> - signal_rules = >> profile_data[profile][hat][allow].get('signal', list()) >> - signal_rules.append(signal_rule) >> - profile_data[profile][hat][allow]['signal'] = signal_rules >> + >> profile_data[profile][hat]['signal'].add(SignalRule.parse(line)) >> >> elif RE_PROFILE_PTRACE.search(line): >> matches = RE_PROFILE_PTRACE.search(line).groups() >> @@ -3106,10 +3092,6 @@ >> # XXX Do real parsing here >> return aarules.Raw_Mount_Rule(line) >> >> -def parse_signal_rule(line): >> - # XXX Do real parsing here >> - return aarules.Raw_Signal_Rule(line) >> - >> def parse_ptrace_rule(line): >> # XXX Do real parsing here >> return aarules.Raw_Ptrace_Rule(line) >> @@ -3312,22 +3294,10 @@ >> data += write_mount_rules(prof_data, depth, 'allow') >> return data >> >> -def write_signal_rules(prof_data, depth, allow): >> - pre = ' ' * depth >> - data = [] >> - >> - # no signal rules, so return >> - if not prof_data[allow].get('signal', False): >> - return data >> - >> - for signal_rule in prof_data[allow]['signal']: >> - data.append('%s%s' % (pre, signal_rule.serialize())) >> - data.append('') >> - return data >> - >> def write_signal(prof_data, depth): >> - data = write_signal_rules(prof_data, depth, 'deny') >> - data += write_signal_rules(prof_data, depth, 'allow') >> + data = [] >> + if prof_data.get('signal', False): >> + data = prof_data['signal'].get_clean(depth) >> return data >> >> def write_ptrace_rules(prof_data, depth, allow): >> === modified file ./utils/apparmor/rules.py >> --- utils/apparmor/rules.py 2014-12-17 00:54:04.150444000 +0100 >> +++ utils/apparmor/rules.py 2015-10-22 23:39:29.592585653 +0200 >> @@ -71,9 +71,6 @@ >> class Raw_Mount_Rule(_Raw_Rule): >> pass >> >> -class Raw_Signal_Rule(_Raw_Rule): >> - pass >> - >> class Raw_Ptrace_Rule(_Raw_Rule): >> pass >> >> === modified file ./utils/test/test-parser-simple-tests.py >> --- utils/test/test-parser-simple-tests.py 2015-10-20 >> 23:43:11.058010000 +0200 >> +++ utils/test/test-parser-simple-tests.py 2015-10-23 >> 01:09:18.228609114 +0200 >> @@ -134,27 +134,7 @@ >> 'ptrace/bad_07.sd', >> 'ptrace/bad_08.sd', >> 'ptrace/bad_10.sd', >> - 'signal/bad_01.sd', >> - 'signal/bad_02.sd', >> - 'signal/bad_03.sd', >> - 'signal/bad_04.sd', >> - 'signal/bad_05.sd', >> - 'signal/bad_06.sd', >> - 'signal/bad_07.sd', >> - 'signal/bad_08.sd', >> - 'signal/bad_09.sd', >> - 'signal/bad_10.sd', >> - 'signal/bad_11.sd', >> - 'signal/bad_12.sd', >> - 'signal/bad_13.sd', >> - 'signal/bad_14.sd', >> - 'signal/bad_15.sd', >> - 'signal/bad_16.sd', >> - 'signal/bad_17.sd', >> - 'signal/bad_18.sd', >> - 'signal/bad_19.sd', >> - 'signal/bad_20.sd', >> - 'signal/bad_21.sd', >> + 'signal/bad_21.sd', # invalid regex >> 'unix/bad_attr_1.sd', >> 'unix/bad_attr_2.sd', >> 'unix/bad_attr_3.sd', >> >> Its so nice to see much of this code finally removed, with the new class > based rules. > > Thanks for the patch. > > Acked-by: Kshitij Gupta <[email protected]> > > Acked-by: Kshitij Gupta <[email protected]> > >> Regards, >> >> Christian Boltz >> -- >> Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version >> bestimmen können... ;) [Patrick Ben Koetter in postfixbuch-users] >> >> >> -- >> AppArmor mailing list >> [email protected] >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/apparmor >> > > > > -- > Regards, > > Kshitij Gupta > -- Regards, Kshitij Gupta
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
