Hello,
this patch series introduces the FileRule and FileRuleset classes and
changes several code sections to use these classes instead of the old
'path' hasher.
Basically this is "just" a rewrite of the file rule handling, but it
also adds some new features like support for rules with leading
Hello,
File rules contain some optional details (like leading permissions and
the file keyword) which should be ignored in non-strict mode.
This patch passes through the 'strict' parameter to is_equal_localvars
and adds it as function parameter in all existing rule classes.
It also adjusts
Hello,
$subject.
File permissions can be an empty list (if only exec permissions are
specified). This patch adds the optional allow_empty_list parameter so
that the function can handle this case.
[ 02-check_and_split_list-optionally-allow-empty-list.diff ]
--- utils/apparmor/rule/__init__.py
Hello,
$subject.
These classes handle file rules, including file rules with leading
perms, and are meant to replace lots of file rule code in aa.py and
aa-mergeprof.
Note: get_glob() and logprof_header_localvars() don't even look
finalized and will be changed in a later patch. (Some other
Hello,
list, tuple, set - does python offer even more array types? ;-)
[ 03-check_and_split_list-also-accept-set.diff ]
--- utils/apparmor/rule/__init__.py 2016-01-16 21:02:23.414845325 +0100
+++ utils/apparmor/rule/__init__.py 2016-01-18 18:56:44.740261951 +0100
@@ -438,7 +438,7 @@
Hello,
as usual, we have 100% test coverage - at least until patch 22, which
introduces one 'partial' ;-)
[ 07-add-test-file.diff ]
=== modified file ./utils/test/test-file.py
--- utils/test/test-file.py 2016-01-20 20:47:23.952974822 +0100
+++ utils/test/test-file.py 2016-01-20
Hello,
after dropping the dead code in handle_children(), there's only one use
of contains() left in log_str_to_mode().
This patch changes log_str_to_mode to use mode_contains() and drops the
now unused contains() function.
[ 09-aamode-drop-contains.diff ]
=== modified file
Hello,
RE_PATH expected (simplified) '/.+', however this excludes a plain '/'
that can appear in path rules.
This patch changes the regex so that it also matches '/'.
[ 10-RE_PATH-allow-root.diff ]
=== modified file ./utils/apparmor/regex.py
--- utils/apparmor/regex.py 2016-02-01
Hello,
the parser accepts duplicated execute permissions as long as they don't
conflict. For example,
/bin/foo pxpxpxpx,
is a valid rule.
This patch changes FileRule to also accept those duplicated permissions,
even if it's unlikely to hit them outside of the parser tests ;-)
Also add
Hello,
this patch changes handle_children() (which asks about exec events) and
ask_the_questions() (which asks everything else) to FileRule. This
solves the "brain split" introduced by the previous patch.
This means aa-logprof and aa-genprof ask useful questions again, and
store the answers at
Hello,
this patch changes aa.py to use FileRule and FileRuleset for parsing and
saving profiles.
In detail, this means:
- add 'file' to the list of rule classes to enable it at various places
- store file rules in aa[profile][hat]['file'] (not 'path' as before)
to be consistent with the
Hello,
[patch] [16/38] move glob_path() and glob_path_ext() to AARE
glob_path() and glob_path_ext() modify a (path) regex, so move them to
AARE. Also change them to use self.regex instead of the newpath
parameter, and to return a new AARE object.
While on it, also add several tests to
Hello,
$subject.
This change also needs some other changes in ask_the_questions():
- set q.options and q.selected inside the loop (because glob() and
glob_ext() add another option)
- set 'selection' outside the if block to avoid doing it in nearly every
if branch
- make sure to add the
Hello,
$subject.
Also add a rank_path() function to severity.py and change rank() to call
rank_path() for paths.
Long-term goal: get rid of the type "guessing" in rank()
Finally add some tests, mostly based on test-severity.py SeverityTest
[ 21-add-severity-support-to-FileRule.diff ]
===
Hello,
this patch brings back the edit option for the path of file rules.
Also add it to aa-mergeprof to keep ask_the_questions() in sync.
Note: aa-mergeprof will ask about path mismatchs basically always.
That's because AARE is too careful on the matching - something to be
fixed in a later
Hello,
this patch adds
- get_rules_for_path() returns all rules matching the given path
(both exact matches and AARE matches)
- get_perms_for_path() returns the merged permissions for the given
path and a list of paths used in the matching rules
Also add tests for these two functions.
[
Hello,
get_file_perms() collects the existing permissions for a file from
various rules (exact matches, wildcards) in the main profile and the
included abstractions.
It will be used to get displaying the current permissions back, and also
to propose rules with merged permissions (next patch).
Hello,
$subject.
aa.py changes:
- add propose_file_rules() - will propose matching paths from existing
rules in the profile or one of the includes
- save user_globs if user selects '(N)ew' (will be re-used when
proposing rules)
- change user_globs to a dict so that it can carry the
Hello,
this patch adds set_options_audit_mode() to switch the audit mode in all
options offered by aa-logprof and aa-mergeprof, not only the "original"
rule (in aa-logprof, this means the non-globbed rule_obj).
As usual, add some tests to ensure the function works as expected.
[
Hello,
when matching an AARE against another AARE, most AARE objects don't
contain orig_regex (only AARE instances originating from a log event
contain orig_regex).
In this case, match() will use is_equal() to error out on the safe side.
Unfortunately this also means that there are lots of false
Hello,
$subject.
Merge the existing and requested permissions into a nice set of headers
that can be displayed by aa-logprof. This will look like:
Path: /foo
Old Mode: r + owner w
New Mode: rw
Also split off a _join_given_perms() function off _joint_perms() so
Hello,
$subject.
This is the correct way of doing AARE matches. However, this check is
more strict when matching against an AARE containing wildcards etc.
(which can "by luck" match when doing str matching)
To avoid breaking DbusRule, PtraceRule and SignalRule (especially their
tests),
Hello,
when an user adds a new rule to a profile, cleanup / delete existing
rules that are covered by the new rule, and report the number of deleted
rules.
[ 34-logprof-cleanup-duplicates-on-add.diff ]
=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof 2016-08-08 23:55:34.096316427
Hello,
after switching to FileRule, several functions in aamode.py are no
longer used and can be deleted:
- print_mode()
- sub_mode_to_str()
- is_user_mode()
split_mode()
- mode_to_str()
- flatten_mode()
- owner_flatten_mode()
- mode_to_str_user()
- log_str_to_mode()
The AA_EXEC_TYPE and
24 matches
Mail list logo