On Mon, Jun 05, 2017 at 11:20:33PM +0200, Christian Boltz wrote: > Hello, > > this patch makes the profile_storage() data structure more strict. It > - initializes everything inside a profile with proper values > - makes the profile storage a dict() instead of a hasher(), which means > it will complain loudly when trying to access non-existing elements > (hasher() was more forgiving, but this also meant hiding bugs) > > The patch also fixes a minor issue related to the more strict 'repo' > profile property in serialize_profile(). > > > Note that I propose this patch only for trunk. > > In theory it should also work on 2.11, but I won't take that risk. > > 2.10.x and older are guaranteed to crash in > serialize_profile_from_old_profile() when (v)iew changes for a profile > with child profiles is used. The switch to FileRule removed that broken > code :-) > > I use this patch since (at least) several months locally, so there's a > chance it doesn't break anything ;-) > > > [ 01-strict-profile-storage.diff ]
Oh yeah! :D I'd still rather see this using a class with fields, something where you stand a chance of having python tell you "hey that field doesn't exist" when you typo something, but removing the vast magic of hasher() is already a fantastic step. Acked-by: Seth Arnold <[email protected]> Thanks > > === modified file ./utils/apparmor/aa.py > --- utils/apparmor/aa.py 2015-12-26 16:47:30.614839586 +0100 > +++ utils/apparmor/aa.py 2015-12-26 16:46:25.451187459 +0100 > @@ -453,10 +453,7 @@ > # d) other: external, flags, name, profile, attachment, initial_comment, > filename, info, > # profile_keyword, header_comment (these two are currently > only set by set_profile_flags()) > > - # Note that this function doesn't explicitely init all those keys (yet). > - # It will be extended over time, with the final goal to get rid of > hasher(). > - > - profile = hasher() > + profile = dict() > > # profile['info'] isn't used anywhere, but can be helpful in debugging. > profile['info'] = {'profile': profilename, 'hat': hat, 'calledby': > calledby} > @@ -472,8 +467,35 @@ > profile['rlimit'] = RlimitRuleset() > profile['signal'] = SignalRuleset() > > - profile['allow']['mount'] = list() > + profile['alias'] = dict() > + profile['include'] = dict() > + profile['localinclude'] = dict() > + profile['repo'] = dict() > + profile['lvar'] = dict() > + > + profile['filename'] = '' > + profile['name'] = '' > + profile['attachment'] = '' > + profile['flags'] = '' > + profile['external'] = False > + profile['header_comment'] = '' > + profile['initial_comment'] = '' > + profile['profile_keyword'] = False > + profile['profile'] = False # profile or hat? > + > + profile['allow'] = dict() > + profile['deny'] = dict() > + > + profile['allow']['link'] = hasher() > + profile['deny']['link'] = hasher() > + > + # mount, pivot_root, unix have a .get() fallback to list() - initialize > them nevertheless > + profile['allow']['mount'] = list() > + profile['deny']['mount'] = list() > profile['allow']['pivot_root'] = list() > + profile['deny']['pivot_root'] = list() > + profile['allow']['unix'] = list() > + profile['deny']['unix'] = list() > > return profile > > @@ -3074,7 +3074,7 @@ > profile_data[name]['repo']['id']): > repo = profile_data[name]['repo'] > string += '# REPOSITORY: %s %s %s\n' % (repo['url'], > repo['user'], repo['id']) > - elif profile_data[name]['repo']['neversubmit']: > + elif profile_data[name]['repo'].get('neversubmit'): > string += '# REPOSITORY: NEVERSUBMIT\n' > > # if profile_data[name].get('initial_comment', False): > > >
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
