Hello,
Am Mittwoch, 9. Mai 2012 schrieb Christian Boltz:
> as mentioned in the UDS chat, I'd like to have a create_file_rule
> function in create-apparmor.vim.py.
>
> Unfortunately Python is not one of the P* languages I "speak", which
> means I can't implement this myself :-( or at least I'd need more time
> for reading a "python for beginners" tutorial than for writhing code
> ;-)
LinuxTag has some advantages - for example, you meet people who can help
with python :-)
The attached patch moves the generation of file rules from
apparmor.vim.in to create-apparmor.vim.py. It also adds support for
- filenames in quotes
- reverse syntax (permissions first)
The patch also removes an outdated $Id header in apparmor.vim.in and
updates the copyright year.
Note: If you want to compare apparmor.vim with the "old" apparmor.vim,
temporarily comment out the "filename with quotes" and the two "reverse
syntax" lines in create_file_rule().
The code looks good to me and seems to work (I tested with some
profiles, but didn't test all corner cases), but maybe it isn't the
best-looking python code on the world ;-) (it's the first python I ever
wrote...) I'm always happy about improvements. However, I'd prefer to
do it incremental - in other words: first commit this patch and then
apply a "cleanup" patch. That makes checking the changes easier.
Regards,
Christian Boltz
--
»Microsoft Outlook Express - Designed to enable Virus replication.«
[http://www.microsoft.com/mac/products/office/2001/virus_alert.asp]
move generation of file rules to create-apparmor.vim
This patch moves the generation of file rules from apparmor.vim.in to
create-apparmor.vim.py. It also adds support for
- filenames in quotes
- reverse syntax (permissions first)
The patch also removes an outdated $Id header in apparmor.vim.in and
updates the copyright year.
=== modified file 'utils/vim/apparmor.vim.in'
--- utils/vim/apparmor.vim.in 2012-02-15 22:44:39 +0000
+++ utils/vim/apparmor.vim.in 2012-05-25 23:16:41 +0000
@@ -1,8 +1,6 @@
-" $Id: apparmor.vim.in,v 1.11 2011/03/28 11:23:13 cb Exp $
-"
" ----------------------------------------------------------------------
" Copyright (c) 2005 Novell, Inc. All Rights Reserved.
-" Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.
+" Copyright (c) 2006-2012 Christian Boltz. All Rights Reserved.
"
" This program is free software; you can redistribute it and/or
" modify it under the terms of version 2 of the GNU General Public
@@ -166,48 +164,6 @@
syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob
-" file permissions
-"
-" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
-"
-" write + exec/mmap - danger!
-" known bug: accepts 'aw' to keep things simple
-syn match sdEntryWriteExec /@@FILE@@(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" ux(mr) - unconstrained entry, flag the line red
-" also includes pux which is unconstrained if no profile exists
-syn match sdEntryUX /@@FILE@@(r|m|k|ux|pux)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Ux(mr) and PUx(mr) - like ux + clean environment
-syn match sdEntryUXe /@@FILE@@(r|m|k|Ux|PUx)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue
-syn match sdEntryPX /@@FILE@@(r|m|k|px|cx|pix|cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment
-syn match sdEntryPXe /@@FILE@@(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" ix(mr) - standard exec entry, flag the line green
-syn match sdEntryIX /@@FILE@@(r|m|k|ix)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" mr - mmap with PROT_EXEC
-syn match sdEntryM /@@FILE@@(r|m|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" special case: deny x is allowed (doesn't need to be ix, px, ux or cx)
-syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" if we've got u or i without x, it's an error
-" rule is superfluous because of the '/.*/ is an error' rule ;-)
-"syn match sdError /@@FILE@@(l|r|w|k|u|p|i)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write + append is an error also
-"syn match sdError /@@FILE@@(\S*r\S*a\S*|\S*a\S*w\S*)@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-syn match sdError /@@FILE@@\S*(w\S*a|a\S*w)\S*@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write entry, flag the line yellow
-syn match sdEntryW /@@FILE@@(l|r|w|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" append entry, flag the line yellow
-syn match sdEntryW /@@FILE@@(l|r|a|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" read entry + locking, currently no highlighting
-syn match sdEntryK /@@FILE@@[rlk]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" read entry, no highlighting
-syn match sdEntryR /@@FILE@@[rl]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
syn match sdExtHat /\v^\s+(\^|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...}
@@ -233,4 +189,5 @@
syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
+" file permissions
=== modified file 'utils/vim/create-apparmor.vim.py'
--- utils/vim/create-apparmor.vim.py 2012-04-05 21:39:57 +0000
+++ utils/vim/create-apparmor.vim.py 2012-05-25 23:15:44 +0000
@@ -92,6 +92,7 @@
# (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE
'auditdenyowner': r'(audit\s+)?(deny\s+)?(owner\s+)?',
+ 'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner
'auditdeny': r'(audit\s+)?(deny\s+)?',
'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
'TRANSITION': r'(\s+-\>\s+\S+)?',
@@ -110,9 +111,68 @@
return matchobj.group(0)
+
+def create_file_rule (highlighting, permissions, comment, denyrule = 0):
+
+ if denyrule == 0:
+ keywords = '@@auditdenyowner@@'
+ else:
+ keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?'
+
+ sniplet = ''
+ sniplet = sniplet + "\n" + '" ' + comment + "\n"
+
+ prefix = r'syn match ' + highlighting + r' /\v^\s*' + keywords
+ suffix = r'@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' + "\n"
+ # filename without quotes
+ sniplet = sniplet + prefix + r'@@FILENAME@@\s+' + permissions + suffix
+ # filename with quotes
+ sniplet = sniplet + prefix + r'"@@FILENAME@@"\s+' + permissions + suffix
+ # filename without quotes, reverse syntax
+ sniplet = sniplet + prefix + permissions + r'\s+@@FILENAME@@' + suffix
+ # filename with quotes, reverse syntax
+ sniplet = sniplet + prefix + permissions + r'\s+"@@FILENAME@@"+' + suffix
+
+ return sniplet
+
+
+filerule = ''
+filerule = filerule + create_file_rule ( 'sdEntryWriteExec ', r'(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@', 'write + exec/mmap - danger! (known bug: accepts aw to keep things simple)' )
+filerule = filerule + create_file_rule ( 'sdEntryUX', r'(r|m|k|ux|pux)+@@TRANSITION@@', 'ux(mr) - unconstrained entry, flag the line red. also includes pux which is unconstrained if no profile exists' )
+filerule = filerule + create_file_rule ( 'sdEntryUXe', r'(r|m|k|Ux|PUx)+@@TRANSITION@@', 'Ux(mr) and PUx(mr) - like ux + clean environment' )
+filerule = filerule + create_file_rule ( 'sdEntryPX', r'(r|m|k|px|cx|pix|cix)+@@TRANSITION@@', 'px/cx/pix/cix(mrk) - standard exec entry, flag the line blue' )
+filerule = filerule + create_file_rule ( 'sdEntryPXe', r'(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@', 'Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment' )
+filerule = filerule + create_file_rule ( 'sdEntryIX', r'(r|m|k|ix)+', 'ix(mr) - standard exec entry, flag the line green' )
+filerule = filerule + create_file_rule ( 'sdEntryM', r'(r|m|k)+', 'mr - mmap with PROT_EXEC' )
+
+filerule = filerule + create_file_rule ( 'sdEntryM', r'(r|m|k|x)+', 'special case: deny x is allowed (does not need to be ix, px, ux or cx)', 1)
+#syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+
+
+filerule = filerule + create_file_rule ( 'sdError', r'\S*(w\S*a|a\S*w)\S*', 'write + append is an error' )
+filerule = filerule + create_file_rule ( 'sdEntryW', r'(l|r|w|k)+', 'write entry, flag the line yellow' )
+filerule = filerule + create_file_rule ( 'sdEntryW', r'(l|r|a|k)+', 'append entry, flag the line yellow' )
+filerule = filerule + create_file_rule ( 'sdEntryK', r'[rlk]+', 'read entry + locking, currently no highlighting' )
+filerule = filerule + create_file_rule ( 'sdEntryR', r'[rl]+', 'read entry, no highlighting' )
+
+# " special case: deny x is allowed (doesn't need to be ix, px, ux or cx)
+# syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+
+# " TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
+
+
regex = "@@(" + "|".join(aa_regex_map) + ")@@"
+print '" generated from apparmor.vim.in by create-apparmor.vim.py'
+print '" do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead' + "\n"
+
with file("apparmor.vim.in") as template:
for line in template:
line = re.sub(regex, my_repl, line.rstrip())
print line
+
+print "\n\n\n"
+
+print '" file rules added with create_file_rule()'
+print re.sub(regex, my_repl, filerule)
+
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor