Hello,
FileRule uses RE_PROFILE_FILE_ENTRY, which also means
RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY and RE_OWNER are now
unused.
This patch drops these regexes and their tests in test-regex_matches.py.
[ 38-drop-old-path-regexes.diff ]
=== modified file ./utils/apparmor/regex.py
--
Hello,
rank() in severity.py is a dispatcher that calls the needed function
(rank_path(), rank_capability() based on the parameter. Since all
calling code knows what rule type it is handling, this dispatcher is
superfluous - the calling code can call rank_path() or rank_capability()
directly.
Thi
Hello,
after switching to FileRule, several functions in aamode.py are no
longer used and can be deleted:
- print_mode()
- sub_mode_to_str()
- is_user_mode()
split_mode()
- mode_to_str()
- flatten_mode()
- owner_flatten_mode()
- mode_to_str_user()
- log_str_to_mode()
The AA_EXEC_TYPE and ALL_AA
Hello,
$subject ;-)
[ 35-drop-old-path-code.diff ]
=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof 2016-05-26 23:58:03.998344576 +0200
+++ utils/aa-mergeprof 2016-05-27 00:30:32.209199179 +0200
@@ -14,7 +14,6 @@
#
#
Hello,
when an user adds a new rule to a profile, cleanup / delete existing
rules that are covered by the new rule, and report the number of deleted
rules.
[ 34-logprof-cleanup-duplicates-on-add.diff ]
=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof 2016-08-08 23:55:34.096316427
Hello,
adding a rule to *Ruleset means it simply gets added. This also means
that then-superfluous rules will be kept.
This patch adds an optional cleanup flag to add(). If set, rules covered
by the new rule will be deleted. The difference to delete_duplicates()
is that cleanup only deletes rules
Hello,
this patch eplaces the old (hasher-based) conflict_mode() with the new
(FileRule-based) ask_conflict_mode() function. If it detects conflicting
exec rules, it asks the user which one to keep.
Also call ask_conflict_mode() from ask_the_questions() so that it is
actually used.
Note: This pa
Hello,
get_exec_rules_for_path() returns a FileRuleset with all rules matching
the given path.
get_exec_conflict_rules() returns a FileRuleset with all exec rules that
conflict with the given oldrule. This will be used by aa-mergeprof to
ask the user which rule he wants to keep.
Also add tests f
Hello,
the clear_common() call was disabled because it crashed in
delete_path_duplicates(). With the switch to FileRule, this function
no longer exists and therefore it can't crash ;-)
This patch re-enables the clear_common() call to avoid asking
superfluous questions.
References: https://bugs.l
Hello,
$subject.
This is the correct way of doing AARE matches. However, this check is
more strict when matching against an AARE containing wildcards etc.
(which can "by luck" match when doing str matching)
To avoid breaking DbusRule, PtraceRule and SignalRule (especially their
tests), introduce
Hello,
when matching an AARE against another AARE, most AARE objects don't
contain orig_regex (only AARE instances originating from a log event
contain orig_regex).
In this case, match() will use is_equal() to error out on the safe side.
Unfortunately this also means that there are lots of false
Hello,
if the audit.log contains an event for a non-existing profile (this can
happen when running with a foreign log or if the user manually deleted a
profile or hat), propose_file_rules() crashes because rule_obj is None
instead of a profile_storage() struct.
This patch adds a check that skips
Hello,
$subject.
Merge the existing and requested permissions into a nice set of headers
that can be displayed by aa-logprof. This will look like:
Path: /foo
Old Mode: r + owner w
New Mode: rw
Also split off a _join_given_perms() function off _joint_perms() so tha
Hello,
$subject.
aa.py changes:
- add propose_file_rules() - will propose matching paths from existing
rules in the profile or one of the includes
- save user_globs if user selects '(N)ew' (will be re-used when
proposing rules)
- change user_globs to a dict so that it can carry the human-read
Hello,
this patch adds set_options_audit_mode() to switch the audit mode in all
options offered by aa-logprof and aa-mergeprof, not only the "original"
rule (in aa-logprof, this means the non-globbed rule_obj).
As usual, add some tests to ensure the function works as expected.
[ 25-set-audit-
Hello,
get_file_perms() collects the existing permissions for a file from
various rules (exact matches, wildcards) in the main profile and the
included abstractions.
It will be used to get displaying the current permissions back, and also
to propose rules with merged permissions (next patch).
Al
Hello,
this patch adds
- get_rules_for_path() returns all rules matching the given path
(both exact matches and AARE matches)
- get_perms_for_path() returns the merged permissions for the given
path and a list of paths used in the matching rules
Also add tests for these two functions.
[ 22-
Hello,
$subject.
Also add a rank_path() function to severity.py and change rank() to call
rank_path() for paths.
Long-term goal: get rid of the type "guessing" in rank()
Finally add some tests, mostly based on test-severity.py SeverityTest
[ 21-add-severity-support-to-FileRule.diff ]
=== modi
Hello,
this patch brings back the edit option for the path of file rules.
Also add it to aa-mergeprof to keep ask_the_questions() in sync.
Note: aa-mergeprof will ask about path mismatchs basically always.
That's because AARE is too careful on the matching - something to be
fixed in a later patc
Hello,
$subject.
This means adding
- self.can_edit - True if editing via '(N)ew' should be possible (will
be False for bare file rules)
- edit_header() - returns the prompt text and the current path
- validate_edit() - checks if the new path matches the original one
- store_edit() - changes the
Hello,
$subject.
This change also needs some other changes in ask_the_questions():
- set q.options and q.selected inside the loop (because glob() and
glob_ext() add another option)
- set 'selection' outside the if block to avoid doing it in nearly every
if branch
- make sure to add the select
Hello,
this patch adds the glob() and glob_ext() functions to FileRule, and sets
self.can_glob and self.can_glob_ext. Also add some tests (just enough to
make sure the FileRule integration works - the globbing is handled
inside AARE,and the AARE tests contain more testcases).
Note that the implem
Hello,
[patch] [16/38] move glob_path() and glob_path_ext() to AARE
glob_path() and glob_path_ext() modify a (path) regex, so move them to
AARE. Also change them to use self.regex instead of the newpath
parameter, and to return a new AARE object.
While on it, also add several tests to test-aare.p
Hello,
this patch changes handle_children() (which asks about exec events) and
ask_the_questions() (which asks everything else) to FileRule. This
solves the "brain split" introduced by the previous patch.
This means aa-logprof and aa-genprof ask useful questions again, and
store the answers at th
Hello,
this patch changes aa.py to use FileRule and FileRuleset for parsing and
saving profiles.
In detail, this means:
- add 'file' to the list of rule classes to enable it at various places
- store file rules in aa[profile][hat]['file'] (not 'path' as before)
to be consistent with the FileRu
Hello,
aa-logprof needs to check if an exec rule for a given path exists.
This patch adds a __FileAnyExec class to FileRule, as well as ANY_EXEC
(which should be used externally, similar to ALL), and adjusts several
checks to allow it as a special execute mode.
This will allow to use is_covered(
Hello,
Patch 14 will drop the RE_PROFILE_PATH_ENTRY and
RE_PROFILE_BARE_FILE_ENTRY import from apparmor.aa.
This would break test-regex_matches.py, therefore
import these regexes from apparmor.regex.
[ 12-test-regex_matches-change-imports.diff ]
=== modified file ./utils/test/test-regex_matche
Hello,
the parser accepts duplicated execute permissions as long as they don't
conflict. For example,
/bin/foo pxpxpxpx,
is a valid rule.
This patch changes FileRule to also accept those duplicated permissions,
even if it's unlikely to hit them outside of the parser tests ;-)
Also add so
Hello,
RE_PATH expected (simplified) '/.+', however this excludes a plain '/'
that can appear in path rules.
This patch changes the regex so that it also matches '/'.
[ 10-RE_PATH-allow-root.diff ]
=== modified file ./utils/apparmor/regex.py
--- utils/apparmor/regex.py 2016-02-01 21:31:56.
Hello,
after dropping the dead code in handle_children(), there's only one use
of contains() left in log_str_to_mode().
This patch changes log_str_to_mode to use mode_contains() and drops the
now unused contains() function.
[ 09-aamode-drop-contains.diff ]
=== modified file 'utils/apparmor/aam
Hello,
The 'exec' handling in handle_children starts with
if do_execute:
if profile_known_exec(...)
continue
which means if profile_known_exec() returns True, the rest of the loop
will be skipped. profile_known_exec() will return True if it finds an
exec rule in the pro
Hello,
as usual, we have 100% test coverage - at least until patch 22, which
introduces one 'partial' ;-)
[ 07-add-test-file.diff ]
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-01-20 20:47:23.952974822 +0100
+++ utils/test/test-file.py 2016-01-20 21:44:52
Hello,
$subject.
These classes handle file rules, including file rules with leading
perms, and are meant to replace lots of file rule code in aa.py and
aa-mergeprof.
Note: get_glob() and logprof_header_localvars() don't even look
finalized and will be changed in a later patch. (Some other things
Hello,
_is_covered_list() has a sanity check that raises an exception if both
other_value and other_all evaluate to False. This breaks when using
_is_covered_list() for FileRule.perms which can be empty if exec_perms
are specified.
This patch adds an optional parameter that allows to skip the san
Hello,
$subject.
For now, use an additional regex RE_PROFILE_FILE_ENTRY to avoid
breakage of the existing code by the added match groups.
The regex includes support for file rules with leading and trailing
permissions as well as bare file rules.
Note: even with the restriction to the permission
Hello,
list, tuple, set - does python offer even more array types? ;-)
[ 03-check_and_split_list-also-accept-set.diff ]
--- utils/apparmor/rule/__init__.py 2016-01-16 21:02:23.414845325 +0100
+++ utils/apparmor/rule/__init__.py 2016-01-18 18:56:44.740261951 +0100
@@ -438,7 +438,7 @@
Hello,
$subject.
File permissions can be an empty list (if only exec permissions are
specified). This patch adds the optional allow_empty_list parameter so
that the function can handle this case.
[ 02-check_and_split_list-optionally-allow-empty-list.diff ]
--- utils/apparmor/rule/__init__.py
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hello,
File rules contain some optional details (like leading permissions and
the file keyword) which should be ignored in non-strict mode.
This patch passes through the 'strict' parameter to is_equal_localvars
and adds it as function parameter in all existing rule classes.
It also adjusts test-b
Hello,
this patch series introduces the FileRule and FileRuleset classes and
changes several code sections to use these classes instead of the old
'path' hasher.
Basically this is "just" a rewrite of the file rule handling, but it
also adds some new features like support for rules with leading
40 matches
Mail list logo