From 95f47ba9ff8a67758376337ec00e68dd22d85efc Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 1 Oct 2016 20:14:44 +0200 Subject: [PATCH] [35/38] Drop old path code from aa.py and aa-mergeprof Acked-by: Steve Beattie --- utils/aa-mergeprof | 317 ------------------------------------------- utils/apparmor/aa.py | 302 +---------------------------------------- 2 files changed, 1 insertion(+), 618 deletions(-) diff --git a/utils/aa-mergeprof b/utils/aa-mergeprof index 60d464f5b..6953f86a9 100755 --- a/utils/aa-mergeprof +++ b/utils/aa-mergeprof @@ -14,7 +14,6 @@ # # ---------------------------------------------------------------------- import argparse -import re import os import apparmor.aa @@ -322,322 +321,6 @@ class Merge(object): elif ans == 'CMD_FINISHED': return - # Process all the path entries. - for allow in ['allow', 'deny']: - if False: # XXX - #for path in sorted(other.aa[profile][hat][allow]['path'].keys()): - path = None # XXX needed to keep 'make check' happy - #print(path, other.aa[profile][hat][allow]['path'][path]) - mode = other.aa[profile][hat][allow]['path'][path]['mode'] - - if aa[profile][hat][allow]['path'].get(path, False): - mode = self.conflict_mode(profile, hat, allow, path, 'mode', other.aa[profile][hat][allow]['path'][path]['mode'], aa[profile][hat][allow]['path'][path]['mode']) - self.conflict_mode(profile, hat, allow, path, 'audit', other.aa[profile][hat][allow]['path'][path]['audit'], aa[profile][hat][allow]['path'][path]['audit']) - changed[profile] = True - continue - # Lookup modes from profile - allow_mode = set() - allow_audit = set() - deny_mode = set() - deny_audit = set() - - fmode, famode, fm = apparmor.aa.rematchfrag(aa[profile][hat], 'allow', path) - if fmode: - allow_mode |= fmode - if famode: - allow_audit |= famode - - cm, cam, m = apparmor.aa.rematchfrag(aa[profile][hat], 'deny', path) - if cm: - deny_mode |= cm - if cam: - deny_audit |= cam - - imode, iamode, im = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'allow', path) - if imode: - allow_mode |= imode - if iamode: - allow_audit |= iamode - - cm, cam, m = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'deny', path) - if cm: - deny_mode |= cm - if cam: - deny_audit |= cam - - if deny_mode & apparmor.aamode.AA_MAY_EXEC: - deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE - - # Mask off the denied modes - mode = mode - deny_mode - - # If we get an exec request from some kindof event that generates 'PERMITTING X' - # check if its already in allow_mode - # if not add ix permission - if mode & apparmor.aamode.AA_MAY_EXEC: - # Remove all type access permission - mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE - if not allow_mode & apparmor.aamode.AA_MAY_EXEC: - mode |= apparmor.aa.str_to_mode('ix') - - if not mode: - continue - - matches = [] - - if fmode: - matches += fm - - if imode: - matches += im - - if not apparmor.aa.mode_contains(allow_mode, mode): - default_option = 1 - options = [] - newincludes = [] - include_valid = False - - for incname in apparmor.aa.include.keys(): - include_valid = False - # If already present skip - if aa[profile][hat][incname]: - continue - if incname.startswith(apparmor.aa.profile_dir): - incname = incname.replace(apparmor.aa.profile_dir+'/', '', 1) - - include_valid = apparmor.aa.valid_include('', incname) - - if not include_valid: - continue - - cm, am, m = apparmor.aa.match_include_to_path(incname, 'allow', path) - - if cm and apparmor.aa.mode_contains(cm, mode): - dm = apparmor.aa.match_include_to_path(incname, 'deny', path)[0] - # If the mode is denied - if not mode & dm: - if not list(filter(lambda s: '/**' == s, m)): - newincludes.append(incname) - # Add new includes to the options - if newincludes: - options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes)))) - # We should have literal the path in options list too - options.append(path) - # Add any the globs matching path from logprof - globs = apparmor.aa.glob_common(path) - if globs: - matches += globs - # Add any user entered matching globs - for user_glob in apparmor.aa.user_globs: - if apparmor.aa.matchliteral(user_glob, path): - matches.append(user_glob) - - matches = list(set(matches)) - if path in matches: - matches.remove(path) - - options += apparmor.aa.order_globs(matches, path) - default_option = len(options) - - sev_db.unload_variables() - sev_db.load_variables(apparmor.aa.get_profile_filename(profile)) - severity = sev_db.rank(path, apparmor.aa.mode_to_str(mode)) - sev_db.unload_variables() - - audit_toggle = 0 - owner_toggle = 0 - if apparmor.aa.cfg['settings']['default_owner_prompt']: - owner_toggle = apparmor.aa.cfg['settings']['default_owner_prompt'] - done = False - while not done: - q = aaui.PromptQuestion() - q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat), - _('Path'), path] - - if allow_mode: - mode |= allow_mode - tail = '' - s = '' - prompt_mode = None - if owner_toggle == 0: - prompt_mode = apparmor.aa.flatten_mode(mode) - tail = ' ' + _('(owner permissions off)') - elif owner_toggle == 1: - prompt_mode = mode - elif owner_toggle == 2: - prompt_mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode) - tail = ' ' + _('(force new perms to owner)') - else: - prompt_mode = apparmor.aa.owner_flatten_mode(mode) - tail = ' ' + _('(force all rule perms to owner)') - - if audit_toggle == 1: - s = apparmor.aa.mode_to_str_user(allow_mode) - if allow_mode: - s += ', ' - s += 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode - allow_mode) + tail - elif audit_toggle == 2: - s = 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode) + tail - else: - s = apparmor.aa.mode_to_str_user(prompt_mode) + tail - - q.headers += [_('Old Mode'), apparmor.aa.mode_to_str_user(allow_mode), - _('New Mode'), s] - - else: - s = '' - tail = '' - prompt_mode = None - if audit_toggle: - s = 'audit' - if owner_toggle == 0: - prompt_mode = apparmor.aa.flatten_mode(mode) - tail = ' ' + _('(owner permissions off)') - elif owner_toggle == 1: - prompt_mode = mode - else: - prompt_mode = apparmor.aa.owner_flatten_mode(mode) - tail = ' ' + _('(force perms to owner)') - - s = apparmor.aa.mode_to_str_user(prompt_mode) - q.headers += [_('Mode'), s] - - q.headers += [_('Severity'), severity] - q.options = options - q.selected = default_option - 1 - q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', - 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT', - 'CMD_FINISHED', 'CMD_OTHER'] - - q.default = 'CMD_ALLOW' - - - ans, selected = q.promptUser() - - if ans == 'CMD_IGNORE_ENTRY': - done = True - break - - elif ans == 'CMD_FINISHED': - return - - if ans == 'CMD_OTHER': - aaui.UI_Important("Sorry, not implemented yet!") - # audit_toggle, owner_toggle = aaui.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode) -# crashes with -# audit_toggle, owner_toggle = aaui.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode) -# AttributeError: 'module' object has no attribute 'UI_ask_mode_toggles' - elif ans == 'CMD_USER_TOGGLE': - owner_toggle += 1 - if not allow_mode and owner_toggle == 2: - owner_toggle += 1 - if owner_toggle > 3: - owner_toggle = 0 - elif ans == 'CMD_ALLOW': - path = options[selected] - done = True - match = re_match_include(path) - if match: - inc = match - deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc) - aa[profile][hat]['include'][inc] = True - changed[profile] = True - aaui.UI_Info(_('Adding %s to profile.') % path) - if deleted: - aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) - - else: - if aa[profile][hat]['allow']['path'][path].get('mode', False): - mode |= aa[profile][hat]['allow']['path'][path]['mode'] - deleted = [] - for entry in aa[profile][hat]['allow']['path'].keys(): - if path == entry: - continue - - if apparmor.aa.matchregexp(path, entry): - if apparmor.aa.mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']): - deleted.append(entry) - for entry in deleted: - aa[profile][hat]['allow']['path'].pop(entry) - deleted = len(deleted) - - if owner_toggle == 0: - mode = apparmor.aa.flatten_mode(mode) - #elif owner_toggle == 1: - # mode = mode - elif owner_toggle == 2: - mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode) - elif owner_toggle == 3: - mode = apparmor.aa.owner_flatten_mode(mode) - - if not aa[profile][hat]['allow'].get(path, False): - aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode - - - tmpmode = set() - if audit_toggle == 1: - tmpmode = mode - allow_mode - elif audit_toggle == 2: - tmpmode = mode - - aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode - - changed[profile] = True - - aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': apparmor.aa.mode_to_str_user(mode) }) - if deleted: - aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) - - elif ans == 'CMD_DENY': - path = options[selected].strip() - # Add new entry? - aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode) - - aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set()) - - changed[profile] = True - - done = True - - elif ans == 'CMD_NEW': - arg = options[selected] - if not re_match_include(arg): - ans = aaui.UI_GetString(_('Enter new path: '), arg) -# if ans: -# if not matchliteral(ans, path): -# ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %s\n Entered Path: %s\nDo you really want to use this path?') % (path,ans) -# key = aaui.UI_YesNo(ynprompt, 'n') -# if key == 'n': -# continue - apparmor.aa.user_globs.append(ans) - options.append(ans) - default_option = len(options) - - elif ans == 'CMD_GLOB': - newpath = options[selected].strip() - if not re_match_include(newpath): - newpath = apparmor.aa.glob_path(newpath) - - if newpath not in options: - options.append(newpath) - default_option = len(options) - else: - default_option = options.index(newpath) + 1 - - elif ans == 'CMD_GLOBEXT': - newpath = options[selected].strip() - if not re_match_include(newpath): - newpath = apparmor.aa.glob_path_withext(newpath) - - if newpath not in options: - options.append(newpath) - default_option = len(options) - else: - default_option = options.index(newpath) + 1 - - elif re.search('\d', ans): - default_option = ans - # check for and ask about conflicting exec modes self.ask_conflict_mode(profile, hat, aa[profile][hat], other.aa[profile][hat]) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 644bb0039..cf3443869 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -38,9 +38,7 @@ from apparmor.common import (AppArmorException, AppArmorBug, open_file_read, val import apparmor.ui as aaui -from apparmor.aamode import (str_to_mode, mode_to_str, - mode_to_str_user, mode_contains, split_mode, - flatten_mode, owner_flatten_mode) +from apparmor.aamode import str_to_mode, mode_contains, split_mode from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK, RE_PROFILE_ALIAS, @@ -1694,304 +1692,6 @@ def set_options_audit_mode(rule_obj, options): return new_options - -def ask_the_questions_OLD_FILE_CODE(): # XXX unused - global seen_events - # Process all the path entries. - for path in sorted(log_dict[aamode][profile][hat]['allow']['path'].keys()): - mode = log_dict[aamode][profile][hat]['allow']['path'][path] - # Lookup modes from profile - allow_mode = set() - allow_audit = set() - deny_mode = set() - deny_audit = set() - - fmode, famode, fm = rematchfrag(aa[profile][hat], 'allow', path) - if fmode: - allow_mode |= fmode - if famode: - allow_audit |= famode - - cm, cam, m = rematchfrag(aa[profile][hat], 'deny', path) - if cm: - deny_mode |= cm - if cam: - deny_audit |= cam - - imode, iamode, im = match_prof_incs_to_path(aa[profile][hat], 'allow', path) - if imode: - allow_mode |= imode - if iamode: - allow_audit |= iamode - - cm, cam, m = match_prof_incs_to_path(aa[profile][hat], 'deny', path) - if cm: - deny_mode |= cm - if cam: - deny_audit |= cam - - if deny_mode & apparmor.aamode.AA_MAY_EXEC: - deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE - - # Mask off the denied modes - mode = mode - deny_mode - - # If we get an exec request from some kindof event that generates 'PERMITTING X' - # check if its already in allow_mode - # if not add ix permission - if mode & apparmor.aamode.AA_MAY_EXEC: - # Remove all type access permission - mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE - if not allow_mode & apparmor.aamode.AA_MAY_EXEC: - mode |= str_to_mode('ix') - - if not mode: - continue - - matches = [] - - if fmode: - matches += fm - - if imode: - matches += im - - if not mode_contains(allow_mode, mode): - default_option = 1 - options = [] - newincludes = [] - include_valid = False - - for incname in include.keys(): - include_valid = False - # If already present skip - if aa[profile][hat]['include'].get(incname, False): - continue - if incname.startswith(profile_dir): - incname = incname.replace(profile_dir + '/', '', 1) - - include_valid = valid_include('', incname) - - if not include_valid: - continue - - cm, am, m = match_include_to_path(incname, 'allow', path) - - if cm and mode_contains(cm, mode): - dm = match_include_to_path(incname, 'deny', path)[0] - # If the mode is denied - if not mode & dm: - if not list(filter(lambda s: '/**' == s, m)): - newincludes.append(incname) - # Add new includes to the options - if newincludes: - options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes)))) - # We should have literal the path in options list too - options.append(path) - # Add any the globs matching path from logprof - globs = glob_common(path) - if globs: - matches += globs - # Add any user entered matching globs - for user_glob in user_globs: - if matchliteral(user_glob, path): - matches.append(user_glob) - - matches = list(set(matches)) - if path in matches: - matches.remove(path) - - options += order_globs(matches, path) - default_option = len(options) - - sev_db.unload_variables() - sev_db.load_variables(get_profile_filename(profile)) - severity = sev_db.rank(path, mode_to_str(mode)) - sev_db.unload_variables() - - audit_toggle = 0 - owner_toggle = 0 - if cfg['settings']['default_owner_prompt']: - owner_toggle = cfg['settings']['default_owner_prompt'] - done = False - while not done: - q = aaui.PromptQuestion() - q.headers = [_('Profile'), combine_name(profile, hat), - _('Path'), path] - - if allow_mode: - mode |= allow_mode - tail = '' - s = '' - prompt_mode = None - if owner_toggle == 0: - prompt_mode = flatten_mode(mode) - tail = ' ' + _('(owner permissions off)') - elif owner_toggle == 1: - prompt_mode = mode - elif owner_toggle == 2: - prompt_mode = allow_mode | owner_flatten_mode(mode - allow_mode) - tail = ' ' + _('(force new perms to owner)') - else: - prompt_mode = owner_flatten_mode(mode) - tail = ' ' + _('(force all rule perms to owner)') - - if audit_toggle == 1: - s = mode_to_str_user(allow_mode) - if allow_mode: - s += ', ' - s += 'audit ' + mode_to_str_user(prompt_mode - allow_mode) + tail - elif audit_toggle == 2: - s = 'audit ' + mode_to_str_user(prompt_mode) + tail - else: - s = mode_to_str_user(prompt_mode) + tail - - q.headers += [_('Old Mode'), mode_to_str_user(allow_mode), - _('New Mode'), s] - - else: - s = '' - tail = '' - prompt_mode = None - if audit_toggle: - s = 'audit' - if owner_toggle == 0: - prompt_mode = flatten_mode(mode) - tail = ' ' + _('(owner permissions off)') - elif owner_toggle == 1: - prompt_mode = mode - else: - prompt_mode = owner_flatten_mode(mode) - tail = ' ' + _('(force perms to owner)') - - s = mode_to_str_user(prompt_mode) - q.headers += [_('Mode'), s] - - q.headers += [_('Severity'), severity] - q.options = options - q.selected = default_option - 1 - q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', - 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT', - 'CMD_FINISHED', 'CMD_OTHER'] - q.default = 'CMD_DENY' - if aamode == 'PERMITTING': - q.default = 'CMD_ALLOW' - - seen_events += 1 - - ans, selected = q.promptUser() - - if ans == 'CMD_FINISHED': - save_profiles() - return - - if ans == 'CMD_IGNORE_ENTRY': - done = True - break - - if ans == 'CMD_OTHER': - audit_toggle, owner_toggle = UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode) - elif ans == 'CMD_USER_TOGGLE': - owner_toggle += 1 - if not allow_mode and owner_toggle == 2: - owner_toggle += 1 - if owner_toggle > 3: - owner_toggle = 0 - elif ans == 'CMD_ALLOW': - path = options[selected] - done = True - match = re_match_include(path) # .search('^#include\s+<(.+)>$', path) - if match: - inc = match # .groups()[0] - deleted = 0 - deleted = delete_duplicates(aa[profile][hat], inc) - aa[profile][hat]['include'][inc] = True - changed[profile] = True - aaui.UI_Info(_('Adding %s to profile.') % path) - if deleted: - aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) - - else: - if path in aa[profile][hat]['allow']['path']: - if aa[profile][hat]['allow']['path'][path].get('mode', False): - mode |= aa[profile][hat]['allow']['path'][path]['mode'] - deleted = [] - for entry in aa[profile][hat]['allow']['path'].keys(): - if path == entry: - continue - - if matchregexp(path, entry): - if mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']): - deleted.append(entry) - for entry in deleted: - aa[profile][hat]['allow']['path'].pop(entry) - deleted = len(deleted) - - if owner_toggle == 0: - mode = flatten_mode(mode) - #elif owner_toggle == 1: - # mode = mode - elif owner_toggle == 2: - mode = allow_mode | owner_flatten_mode(mode - allow_mode) - elif owner_toggle == 3: - mode = owner_flatten_mode(mode) - - aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode - - tmpmode = set() - if audit_toggle == 1: - tmpmode = mode - allow_mode - elif audit_toggle == 2: - tmpmode = mode - - aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode - - changed[profile] = True - - aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': mode_to_str_user(mode) }) - if deleted: - aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) - - elif ans == 'CMD_DENY': - path = options[selected].strip() - # Add new entry? - aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode) - - aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set()) - - changed[profile] = True - - done = True - - elif ans == 'CMD_NEW': - arg = options[selected] - if not re_match_include(arg): - ans = aaui.UI_GetString(_('Enter new path: '), arg) - if ans: - if not matchliteral(ans, path): - ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %(path)s\n Entered Path: %(ans)s\nDo you really want to use this path?') % { 'path': path, 'ans': ans } - key = aaui.UI_YesNo(ynprompt, 'n') - if key == 'n': - continue - - user_globs.append(ans) - options, default_option = add_to_options(options, ans) - - elif ans == 'CMD_GLOB': - newpath = options[selected].strip() - if not re_match_include(newpath): - newpath = glob_path(newpath) - options, default_option = add_to_options(options, newpath) - - elif ans == 'CMD_GLOBEXT': - newpath = options[selected].strip() - if not re_match_include(newpath): - newpath = glob_path_withext(newpath) - options, default_option = add_to_options(options, newpath) - - elif re.search('\d', ans): - default_option = ans - def available_buttons(rule_obj): buttons = []