Re: [apparmor] create-apparmor.vim.py - create_file_rule

Christian Boltz Sat, 26 May 2012 01:10:22 -0700

Hello,

Am Mittwoch, 9. Mai 2012 schrieb Christian Boltz:
> as mentioned in the UDS chat, I'd like to have a create_file_rule
> function in create-apparmor.vim.py.
> 
> Unfortunately Python is not one of the P* languages I "speak", which
> means I can't implement this myself :-( or at least I'd need more time
> for reading a "python for beginners" tutorial than for writhing code
> ;-)


LinuxTag has some advantages - for example, you meet people who can help 
with python :-)

The attached patch moves the generation of file rules from 
apparmor.vim.in to create-apparmor.vim.py. It also adds support for
- filenames in quotes
- reverse syntax (permissions first)

The patch also removes an outdated $Id header in apparmor.vim.in and
updates the copyright year.

Note: If you want to compare apparmor.vim with the "old" apparmor.vim, 
temporarily comment out the "filename with quotes" and the two "reverse 
syntax" lines in create_file_rule().


The code looks good to me and seems to work (I tested with some 
profiles, but didn't test all corner cases), but maybe it isn't the 
best-looking python code on the world ;-)  (it's the first python I ever 
wrote...)  I'm always happy about improvements. However, I'd prefer to 
do it incremental - in other words: first commit this patch and then 
apply a "cleanup" patch. That makes checking the changes easier.


Regards,

Christian Boltz
-- 
»Microsoft Outlook Express - Designed to enable Virus replication.«
[http://www.microsoft.com/mac/products/office/2001/virus_alert.asp]

move generation of file rules to create-apparmor.vim

This patch moves the generation of file rules from apparmor.vim.in to
create-apparmor.vim.py. It also adds support for
- filenames in quotes
- reverse syntax (permissions first)

The patch also removes an outdated $Id header in apparmor.vim.in and
updates the copyright year.


=== modified file 'utils/vim/apparmor.vim.in'
--- utils/vim/apparmor.vim.in	2012-02-15 22:44:39 +0000
+++ utils/vim/apparmor.vim.in	2012-05-25 23:16:41 +0000
@@ -1,8 +1,6 @@
-" $Id: apparmor.vim.in,v 1.11 2011/03/28 11:23:13 cb Exp $
-"
 " ----------------------------------------------------------------------
 "    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
-"    Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.
+"    Copyright (c) 2006-2012 Christian Boltz. All Rights Reserved.
 "      
 "    This program is free software; you can redistribute it and/or
 "    modify it under the terms of version 2 of the GNU General Public
@@ -166,48 +164,6 @@
 syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob
 
 
-" file permissions
-"
-" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
-"
-" write + exec/mmap - danger!
-" known bug: accepts 'aw' to keep things simple
-syn match  sdEntryWriteExec /@@FILE@@(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" ux(mr) - unconstrained entry, flag the line red
-" also includes pux which is unconstrained if no profile exists
-syn match  sdEntryUX /@@FILE@@(r|m|k|ux|pux)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Ux(mr) and PUx(mr) - like ux + clean environment
-syn match  sdEntryUXe /@@FILE@@(r|m|k|Ux|PUx)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue
-syn match  sdEntryPX /@@FILE@@(r|m|k|px|cx|pix|cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment
-syn match  sdEntryPXe /@@FILE@@(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" ix(mr) - standard exec entry, flag the line green
-syn match  sdEntryIX /@@FILE@@(r|m|k|ix)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" mr - mmap with PROT_EXEC
-syn match  sdEntryM /@@FILE@@(r|m|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" special case: deny x is allowed (doesn't need to be ix, px, ux or cx)
-syn match  sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" if we've got u or i without x, it's an error
-" rule is superfluous because of the '/.*/ is an error' rule ;-)
-"syn match  sdError /@@FILE@@(l|r|w|k|u|p|i)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write + append is an error also
-"syn match  sdError /@@FILE@@(\S*r\S*a\S*|\S*a\S*w\S*)@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-syn match  sdError /@@FILE@@\S*(w\S*a|a\S*w)\S*@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write entry, flag the line yellow
-syn match  sdEntryW /@@FILE@@(l|r|w|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" append entry, flag the line yellow
-syn match  sdEntryW /@@FILE@@(l|r|a|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" read entry + locking, currently no highlighting
-syn match  sdEntryK /@@FILE@@[rlk]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" read entry, no highlighting
-syn match  sdEntryR /@@FILE@@[rl]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
 syn match sdExtHat  /\v^\s+(\^|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...}
 
 
@@ -233,4 +189,5 @@
 syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
 syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
 
+" file permissions
 

=== modified file 'utils/vim/create-apparmor.vim.py'
--- utils/vim/create-apparmor.vim.py	2012-04-05 21:39:57 +0000
+++ utils/vim/create-apparmor.vim.py	2012-05-25 23:15:44 +0000
@@ -92,6 +92,7 @@
                         # (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
     'DENYFILE':         r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE
     'auditdenyowner':   r'(audit\s+)?(deny\s+)?(owner\s+)?',
+    'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner
     'auditdeny':        r'(audit\s+)?(deny\s+)?',
     'EOL':              r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
     'TRANSITION':       r'(\s+-\>\s+\S+)?',
@@ -110,9 +111,68 @@
 
     return matchobj.group(0)
 
+
+def create_file_rule (highlighting, permissions, comment, denyrule = 0):
+
+	if denyrule == 0:
+		keywords = '@@auditdenyowner@@'
+	else:
+		keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?'
+
+	sniplet = ''
+	sniplet = sniplet + "\n" + '" ' + comment + "\n"
+
+	prefix = r'syn match  ' + highlighting + r' /\v^\s*' + keywords
+	suffix = r'@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' + "\n"
+	# filename without quotes
+	sniplet = sniplet + prefix + r'@@FILENAME@@\s+' + permissions + suffix
+	# filename with quotes
+	sniplet = sniplet + prefix + r'"@@FILENAME@@"\s+' + permissions + suffix
+	# filename without quotes, reverse syntax
+	sniplet = sniplet + prefix + permissions + r'\s+@@FILENAME@@' + suffix
+	# filename with quotes, reverse syntax
+	sniplet = sniplet + prefix + permissions + r'\s+"@@FILENAME@@"+' + suffix
+
+	return sniplet
+
+
+filerule = ''
+filerule = filerule + create_file_rule ( 'sdEntryWriteExec ', r'(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@', 'write + exec/mmap - danger! (known bug: accepts aw to keep things simple)' )
+filerule = filerule + create_file_rule ( 'sdEntryUX',  r'(r|m|k|ux|pux)+@@TRANSITION@@',  'ux(mr) - unconstrained entry, flag the line red. also includes pux which is unconstrained if no profile exists' )
+filerule = filerule + create_file_rule ( 'sdEntryUXe', r'(r|m|k|Ux|PUx)+@@TRANSITION@@',  'Ux(mr) and PUx(mr) - like ux + clean environment' )
+filerule = filerule + create_file_rule ( 'sdEntryPX',  r'(r|m|k|px|cx|pix|cix)+@@TRANSITION@@',  'px/cx/pix/cix(mrk) - standard exec entry, flag the line blue' )
+filerule = filerule + create_file_rule ( 'sdEntryPXe', r'(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@', 'Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment' )
+filerule = filerule + create_file_rule ( 'sdEntryIX',  r'(r|m|k|ix)+',  'ix(mr) - standard exec entry, flag the line green' )
+filerule = filerule + create_file_rule ( 'sdEntryM',   r'(r|m|k)+',  'mr - mmap with PROT_EXEC' )
+
+filerule = filerule + create_file_rule ( 'sdEntryM',   r'(r|m|k|x)+',  'special case: deny x is allowed (does not need to be ix, px, ux or cx)', 1)
+#syn match  sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+
+
+filerule = filerule + create_file_rule ( 'sdError',    r'\S*(w\S*a|a\S*w)\S*',  'write + append is an error' )
+filerule = filerule + create_file_rule ( 'sdEntryW',   r'(l|r|w|k)+',  'write entry, flag the line yellow' )
+filerule = filerule + create_file_rule ( 'sdEntryW',   r'(l|r|a|k)+',  'append entry, flag the line yellow' )
+filerule = filerule + create_file_rule ( 'sdEntryK',   r'[rlk]+',  'read entry + locking, currently no highlighting' )
+filerule = filerule + create_file_rule ( 'sdEntryR',   r'[rl]+',  'read entry, no highlighting' )
+
+# " special case: deny x is allowed (doesn't need to be ix, px, ux or cx)
+# syn match  sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+
+# " TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
+
+
 regex = "@@(" + "|".join(aa_regex_map) + ")@@"
 
+print '" generated from apparmor.vim.in by create-apparmor.vim.py'
+print '" do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead' + "\n"
+
 with file("apparmor.vim.in") as template:
     for line in template:
         line = re.sub(regex, my_repl, line.rstrip())
         print line
+
+print "\n\n\n"
+
+print '" file rules added with create_file_rule()'
+print re.sub(regex, my_repl, filerule)
+

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] create-apparmor.vim.py - create_file_rule

Reply via email to