mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 05:47:59 +00:00
Code Issues Releases Wiki Activity

[35/38] Drop old path code from aa.py and aa-mergeprof

Browse Source 
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz 2016-10-01 20:14:44 +02:00
parent 3ed80a9ed4
commit 95f47ba9ff
2 changed files with 1 additions and 618 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
utils/aa-mergeprof
View File

@ -14,7 +14,6 @@
#
# ----------------------------------------------------------------------
import argparse
import re
import os
import apparmor.aa
@ -322,322 +321,6 @@ class Merge(object):
elif ans == 'CMD_FINISHED':
return
# Process all the path entries.
for allow in ['allow', 'deny']:
if False: # XXX
#for path in sorted(other.aa[profile][hat][allow]['path'].keys()):
path = None # XXX needed to keep 'make check' happy
#print(path, other.aa[profile][hat][allow]['path'][path])
mode = other.aa[profile][hat][allow]['path'][path]['mode']
if aa[profile][hat][allow]['path'].get(path, False):
mode = self.conflict_mode(profile, hat, allow, path, 'mode', other.aa[profile][hat][allow]['path'][path]['mode'], aa[profile][hat][allow]['path'][path]['mode'])
self.conflict_mode(profile, hat, allow, path, 'audit', other.aa[profile][hat][allow]['path'][path]['audit'], aa[profile][hat][allow]['path'][path]['audit'])
changed[profile] = True
continue
# Lookup modes from profile
allow_mode = set()
allow_audit = set()
deny_mode = set()
deny_audit = set()
fmode, famode, fm = apparmor.aa.rematchfrag(aa[profile][hat], 'allow', path)
if fmode:
allow_mode |= fmode
if famode:
allow_audit |= famode
cm, cam, m = apparmor.aa.rematchfrag(aa[profile][hat], 'deny', path)
if cm:
deny_mode |= cm
if cam:
deny_audit |= cam
imode, iamode, im = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'allow', path)
if imode:
allow_mode |= imode
if iamode:
allow_audit |= iamode
cm, cam, m = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'deny', path)
if cm:
deny_mode |= cm
if cam:
deny_audit |= cam
if deny_mode & apparmor.aamode.AA_MAY_EXEC:
deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE
# Mask off the denied modes
mode = mode - deny_mode
# If we get an exec request from some kindof event that generates 'PERMITTING X'
# check if its already in allow_mode
# if not add ix permission
if mode & apparmor.aamode.AA_MAY_EXEC:
# Remove all type access permission
mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE
if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
mode |= apparmor.aa.str_to_mode('ix')
if not mode:
continue
matches = []
if fmode:
matches += fm
if imode:
matches += im
if not apparmor.aa.mode_contains(allow_mode, mode):
default_option = 1
options = []
newincludes = []
include_valid = False
for incname in apparmor.aa.include.keys():
include_valid = False
# If already present skip
if aa[profile][hat][incname]:
continue
if incname.startswith(apparmor.aa.profile_dir):
incname = incname.replace(apparmor.aa.profile_dir+'/', '', 1)
include_valid = apparmor.aa.valid_include('', incname)
if not include_valid:
continue
cm, am, m = apparmor.aa.match_include_to_path(incname, 'allow', path)
if cm and apparmor.aa.mode_contains(cm, mode):
dm = apparmor.aa.match_include_to_path(incname, 'deny', path)[0]
# If the mode is denied
if not mode & dm:
if not list(filter(lambda s: '/**' == s, m)):
newincludes.append(incname)
# Add new includes to the options
if newincludes:
options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))
# We should have literal the path in options list too
options.append(path)
# Add any the globs matching path from logprof
globs = apparmor.aa.glob_common(path)
if globs:
matches += globs
# Add any user entered matching globs
for user_glob in apparmor.aa.user_globs:
if apparmor.aa.matchliteral(user_glob, path):
matches.append(user_glob)
matches = list(set(matches))
if path in matches:
matches.remove(path)
options += apparmor.aa.order_globs(matches, path)
default_option = len(options)
sev_db.unload_variables()
sev_db.load_variables(apparmor.aa.get_profile_filename(profile))
severity = sev_db.rank(path, apparmor.aa.mode_to_str(mode))
sev_db.unload_variables()
audit_toggle = 0
owner_toggle = 0
if apparmor.aa.cfg['settings']['default_owner_prompt']:
owner_toggle = apparmor.aa.cfg['settings']['default_owner_prompt']
done = False
while not done:
q = aaui.PromptQuestion()
q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat),
_('Path'), path]
if allow_mode:
mode |= allow_mode
tail = ''
s = ''
prompt_mode = None
if owner_toggle == 0:
prompt_mode = apparmor.aa.flatten_mode(mode)
tail = ' ' + _('(owner permissions off)')
elif owner_toggle == 1:
prompt_mode = mode
elif owner_toggle == 2:
prompt_mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode)
tail = ' ' + _('(force new perms to owner)')
else:
prompt_mode = apparmor.aa.owner_flatten_mode(mode)
tail = ' ' + _('(force all rule perms to owner)')
if audit_toggle == 1:
s = apparmor.aa.mode_to_str_user(allow_mode)
if allow_mode:
s += ', '
s += 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode - allow_mode) + tail
elif audit_toggle == 2:
s = 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode) + tail
else:
s = apparmor.aa.mode_to_str_user(prompt_mode) + tail
q.headers += [_('Old Mode'), apparmor.aa.mode_to_str_user(allow_mode),
_('New Mode'), s]
else:
s = ''
tail = ''
prompt_mode = None
if audit_toggle:
s = 'audit'
if owner_toggle == 0:
prompt_mode = apparmor.aa.flatten_mode(mode)
tail = ' ' + _('(owner permissions off)')
elif owner_toggle == 1:
prompt_mode = mode
else:
prompt_mode = apparmor.aa.owner_flatten_mode(mode)
tail = ' ' + _('(force perms to owner)')
s = apparmor.aa.mode_to_str_user(prompt_mode)
q.headers += [_('Mode'), s]
q.headers += [_('Severity'), severity]
q.options = options
q.selected = default_option - 1
q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB',
'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT',
'CMD_FINISHED', 'CMD_OTHER']
q.default = 'CMD_ALLOW'
ans, selected = q.promptUser()
if ans == 'CMD_IGNORE_ENTRY':
done = True
break
elif ans == 'CMD_FINISHED':
return
if ans == 'CMD_OTHER':
aaui.UI_Important("Sorry, not implemented yet!")
# audit_toggle, owner_toggle = aaui.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
# crashes with
# audit_toggle, owner_toggle = aaui.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
# AttributeError: 'module' object has no attribute 'UI_ask_mode_toggles'
elif ans == 'CMD_USER_TOGGLE':
owner_toggle += 1
if not allow_mode and owner_toggle == 2:
owner_toggle += 1
if owner_toggle > 3:
owner_toggle = 0
elif ans == 'CMD_ALLOW':
path = options[selected]
done = True
match = re_match_include(path)
if match:
inc = match
deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc)
aa[profile][hat]['include'][inc] = True
changed[profile] = True
aaui.UI_Info(_('Adding %s to profile.') % path)
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else:
if aa[profile][hat]['allow']['path'][path].get('mode', False):
mode |= aa[profile][hat]['allow']['path'][path]['mode']
deleted = []
for entry in aa[profile][hat]['allow']['path'].keys():
if path == entry:
continue
if apparmor.aa.matchregexp(path, entry):
if apparmor.aa.mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']):
deleted.append(entry)
for entry in deleted:
aa[profile][hat]['allow']['path'].pop(entry)
deleted = len(deleted)
if owner_toggle == 0:
mode = apparmor.aa.flatten_mode(mode)
#elif owner_toggle == 1:
# mode = mode
elif owner_toggle == 2:
mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode)
elif owner_toggle == 3:
mode = apparmor.aa.owner_flatten_mode(mode)
if not aa[profile][hat]['allow'].get(path, False):
aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
tmpmode = set()
if audit_toggle == 1:
tmpmode = mode - allow_mode
elif audit_toggle == 2:
tmpmode = mode
aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
changed[profile] = True
aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': apparmor.aa.mode_to_str_user(mode) })
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
elif ans == 'CMD_DENY':
path = options[selected].strip()
# Add new entry?
aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set())
changed[profile] = True
done = True
elif ans == 'CMD_NEW':
arg = options[selected]
if not re_match_include(arg):
ans = aaui.UI_GetString(_('Enter new path: '), arg)
# if ans:
# if not matchliteral(ans, path):
# ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %s\n Entered Path: %s\nDo you really want to use this path?') % (path,ans)
# key = aaui.UI_YesNo(ynprompt, 'n')
# if key == 'n':
# continue
apparmor.aa.user_globs.append(ans)
options.append(ans)
default_option = len(options)
elif ans == 'CMD_GLOB':
newpath = options[selected].strip()
if not re_match_include(newpath):
newpath = apparmor.aa.glob_path(newpath)
if newpath not in options:
options.append(newpath)
default_option = len(options)
else:
default_option = options.index(newpath) + 1
elif ans == 'CMD_GLOBEXT':
newpath = options[selected].strip()
if not re_match_include(newpath):
newpath = apparmor.aa.glob_path_withext(newpath)
if newpath not in options:
options.append(newpath)
default_option = len(options)
else:
default_option = options.index(newpath) + 1
elif re.search('\d', ans):
default_option = ans
# check for and ask about conflicting exec modes
self.ask_conflict_mode(profile, hat, aa[profile][hat], other.aa[profile][hat])

302
utils/apparmor/aa.py
View File

@ -38,9 +38,7 @@ from apparmor.common import (AppArmorException, AppArmorBug, open_file_read, val
import apparmor.ui as aaui
from apparmor.aamode import (str_to_mode, mode_to_str,
mode_to_str_user, mode_contains, split_mode,
flatten_mode, owner_flatten_mode)
from apparmor.aamode import str_to_mode, mode_contains, split_mode
from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
RE_PROFILE_ALIAS,
@ -1694,304 +1692,6 @@ def set_options_audit_mode(rule_obj, options):
return new_options
def ask_the_questions_OLD_FILE_CODE(): # XXX unused
global seen_events
# Process all the path entries.
for path in sorted(log_dict[aamode][profile][hat]['allow']['path'].keys()):
mode = log_dict[aamode][profile][hat]['allow']['path'][path]
# Lookup modes from profile
allow_mode = set()
allow_audit = set()
deny_mode = set()
deny_audit = set()
fmode, famode, fm = rematchfrag(aa[profile][hat], 'allow', path)
if fmode:
allow_mode |= fmode
if famode:
allow_audit |= famode
cm, cam, m = rematchfrag(aa[profile][hat], 'deny', path)
if cm:
deny_mode |= cm
if cam:
deny_audit |= cam
imode, iamode, im = match_prof_incs_to_path(aa[profile][hat], 'allow', path)
if imode:
allow_mode |= imode
if iamode:
allow_audit |= iamode
cm, cam, m = match_prof_incs_to_path(aa[profile][hat], 'deny', path)
if cm:
deny_mode |= cm
if cam:
deny_audit |= cam
if deny_mode & apparmor.aamode.AA_MAY_EXEC:
deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE
# Mask off the denied modes
mode = mode - deny_mode
# If we get an exec request from some kindof event that generates 'PERMITTING X'
# check if its already in allow_mode
# if not add ix permission
if mode & apparmor.aamode.AA_MAY_EXEC:
# Remove all type access permission
mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE
if not allow_mode & apparmor.aamode.AA_MAY_EXEC:
mode |= str_to_mode('ix')
if not mode:
continue
matches = []
if fmode:
matches += fm
if imode:
matches += im
if not mode_contains(allow_mode, mode):
default_option = 1
options = []
newincludes = []
include_valid = False
for incname in include.keys():
include_valid = False
# If already present skip
if aa[profile][hat]['include'].get(incname, False):
continue
if incname.startswith(profile_dir):
incname = incname.replace(profile_dir + '/', '', 1)
include_valid = valid_include('', incname)
if not include_valid:
continue
cm, am, m = match_include_to_path(incname, 'allow', path)
if cm and mode_contains(cm, mode):
dm = match_include_to_path(incname, 'deny', path)[0]
# If the mode is denied
if not mode & dm:
if not list(filter(lambda s: '/**' == s, m)):
newincludes.append(incname)
# Add new includes to the options
if newincludes:
options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))
# We should have literal the path in options list too
options.append(path)
# Add any the globs matching path from logprof
globs = glob_common(path)
if globs:
matches += globs
# Add any user entered matching globs
for user_glob in user_globs:
if matchliteral(user_glob, path):
matches.append(user_glob)
matches = list(set(matches))
if path in matches:
matches.remove(path)
options += order_globs(matches, path)
default_option = len(options)
sev_db.unload_variables()
sev_db.load_variables(get_profile_filename(profile))
severity = sev_db.rank(path, mode_to_str(mode))
sev_db.unload_variables()
audit_toggle = 0
owner_toggle = 0
if cfg['settings']['default_owner_prompt']:
owner_toggle = cfg['settings']['default_owner_prompt']
done = False
while not done:
q = aaui.PromptQuestion()
q.headers = [_('Profile'), combine_name(profile, hat),
_('Path'), path]
if allow_mode:
mode |= allow_mode
tail = ''
s = ''
prompt_mode = None
if owner_toggle == 0:
prompt_mode = flatten_mode(mode)
tail = ' ' + _('(owner permissions off)')
elif owner_toggle == 1:
prompt_mode = mode
elif owner_toggle == 2:
prompt_mode = allow_mode | owner_flatten_mode(mode - allow_mode)
tail = ' ' + _('(force new perms to owner)')
else:
prompt_mode = owner_flatten_mode(mode)
tail = ' ' + _('(force all rule perms to owner)')
if audit_toggle == 1:
s = mode_to_str_user(allow_mode)
if allow_mode:
s += ', '
s += 'audit ' + mode_to_str_user(prompt_mode - allow_mode) + tail
elif audit_toggle == 2:
s = 'audit ' + mode_to_str_user(prompt_mode) + tail
else:
s = mode_to_str_user(prompt_mode) + tail
q.headers += [_('Old Mode'), mode_to_str_user(allow_mode),
_('New Mode'), s]
else:
s = ''
tail = ''
prompt_mode = None
if audit_toggle:
s = 'audit'
if owner_toggle == 0:
prompt_mode = flatten_mode(mode)
tail = ' ' + _('(owner permissions off)')
elif owner_toggle == 1:
prompt_mode = mode
else:
prompt_mode = owner_flatten_mode(mode)
tail = ' ' + _('(force perms to owner)')
s = mode_to_str_user(prompt_mode)
q.headers += [_('Mode'), s]
q.headers += [_('Severity'), severity]
q.options = options
q.selected = default_option - 1
q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB',
'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT',
'CMD_FINISHED', 'CMD_OTHER']
q.default = 'CMD_DENY'
if aamode == 'PERMITTING':
q.default = 'CMD_ALLOW'
seen_events += 1
ans, selected = q.promptUser()
if ans == 'CMD_FINISHED':
save_profiles()
return
if ans == 'CMD_IGNORE_ENTRY':
done = True
break
if ans == 'CMD_OTHER':
audit_toggle, owner_toggle = UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
elif ans == 'CMD_USER_TOGGLE':
owner_toggle += 1
if not allow_mode and owner_toggle == 2:
owner_toggle += 1
if owner_toggle > 3:
owner_toggle = 0
elif ans == 'CMD_ALLOW':
path = options[selected]
done = True
match = re_match_include(path) # .search('^#include\s+<(.+)>$', path)
if match:
inc = match # .groups()[0]
deleted = 0
deleted = delete_duplicates(aa[profile][hat], inc)
aa[profile][hat]['include'][inc] = True
changed[profile] = True
aaui.UI_Info(_('Adding %s to profile.') % path)
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else:
if path in aa[profile][hat]['allow']['path']:
if aa[profile][hat]['allow']['path'][path].get('mode', False):
mode |= aa[profile][hat]['allow']['path'][path]['mode']
deleted = []
for entry in aa[profile][hat]['allow']['path'].keys():
if path == entry:
continue
if matchregexp(path, entry):
if mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']):
deleted.append(entry)
for entry in deleted:
aa[profile][hat]['allow']['path'].pop(entry)
deleted = len(deleted)
if owner_toggle == 0:
mode = flatten_mode(mode)
#elif owner_toggle == 1:
# mode = mode
elif owner_toggle == 2:
mode = allow_mode | owner_flatten_mode(mode - allow_mode)
elif owner_toggle == 3:
mode = owner_flatten_mode(mode)
aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
tmpmode = set()
if audit_toggle == 1:
tmpmode = mode - allow_mode
elif audit_toggle == 2:
tmpmode = mode
aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
changed[profile] = True
aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': mode_to_str_user(mode) })
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
elif ans == 'CMD_DENY':
path = options[selected].strip()
# Add new entry?
aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set())
changed[profile] = True
done = True
elif ans == 'CMD_NEW':
arg = options[selected]
if not re_match_include(arg):
ans = aaui.UI_GetString(_('Enter new path: '), arg)
if ans:
if not matchliteral(ans, path):
ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %(path)s\n Entered Path: %(ans)s\nDo you really want to use this path?') % { 'path': path, 'ans': ans }
key = aaui.UI_YesNo(ynprompt, 'n')
if key == 'n':
continue
user_globs.append(ans)
options, default_option = add_to_options(options, ans)
elif ans == 'CMD_GLOB':
newpath = options[selected].strip()
if not re_match_include(newpath):
newpath = glob_path(newpath)
options, default_option = add_to_options(options, newpath)
elif ans == 'CMD_GLOBEXT':
newpath = options[selected].strip()
if not re_match_include(newpath):
newpath = glob_path_withext(newpath)
options, default_option = add_to_options(options, newpath)
elif re.search('\d', ans):
default_option = ans
def available_buttons(rule_obj):
buttons = []