Use PtraceRule

Change aa.py to use PtraceRule and PtraceRuleset in profile_storage(),
parse_profile_data() and write_ptrace(). This also means we can drop the
now unused parse_ptrace_rule() and write_ptrace_rules() functions.

Raw_Ptrace_Rule in rules.py is now also unused and can be dropped.

Also adjust logparser.py to include the peer in the result, and shorten
the list of known-failing tests in test-parser-simple-tests.py.


Acked-by: John Johansen <john.johansen@canonical.com>

utils/apparmor/aa.py

@@ -47,7 +47,7 @@ from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
                             RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
                             RE_PROFILE_CHANGE_HAT,
                             RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
-                            RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
+                            RE_PROFILE_PIVOT_ROOT,
                             RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
                             strip_quotes, parse_profile_start_line, re_match_include )
 
@@ -56,6 +56,7 @@ import apparmor.rules as aarules
 from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
 from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
 from apparmor.rule.network    import NetworkRuleset,    NetworkRule
+from apparmor.rule.ptrace     import PtraceRuleset,    PtraceRule
 from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule
 from apparmor.rule.signal     import SignalRuleset,    SignalRule
 from apparmor.rule import parse_modifiers, quote_if_needed
@@ -465,13 +466,13 @@ def profile_storage(profilename, hat, calledby):
     profile['capability']       = CapabilityRuleset()
     profile['change_profile']   = ChangeProfileRuleset()
     profile['network']          = NetworkRuleset()
+    profile['ptrace']           = PtraceRuleset()
     profile['rlimit']           = RlimitRuleset()
     profile['signal']           = SignalRuleset()
 
     profile['allow']['path'] = hasher()
     profile['allow']['dbus'] = list()
     profile['allow']['mount'] = list()
-    profile['allow']['ptrace'] = list()
     profile['allow']['pivot_root'] = list()
 
     return profile
@@ -2953,27 +2954,11 @@ def parse_profile_data(data, file, do_include):
 
             profile_data[profile][hat]['signal'].add(SignalRule.parse(line))
 
-        elif RE_PROFILE_PTRACE.search(line):
-            matches = RE_PROFILE_PTRACE.search(line).groups()
-
+        elif PtraceRule.match(line):
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected ptrace entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
 
-            audit = False
-            if matches[0]:
-                audit = True
-            allow = 'allow'
-            if matches[1] and matches[1].strip() == 'deny':
-                allow = 'deny'
-            ptrace = matches[2].strip()
-
-            ptrace_rule = parse_ptrace_rule(ptrace)
-            ptrace_rule.audit = audit
-            ptrace_rule.deny = (allow == 'deny')
-
-            ptrace_rules = profile_data[profile][hat][allow].get('ptrace', list())
-            ptrace_rules.append(ptrace_rule)
-            profile_data[profile][hat][allow]['ptrace'] = ptrace_rules
+            profile_data[profile][hat]['ptrace'].add(PtraceRule.parse(line))
 
         elif RE_PROFILE_PIVOT_ROOT.search(line):
             matches = RE_PROFILE_PIVOT_ROOT.search(line).groups()
@@ -3118,10 +3103,6 @@ def parse_mount_rule(line):
     # XXX Do real parsing here
     return aarules.Raw_Mount_Rule(line)
 
-def parse_ptrace_rule(line):
-    # XXX Do real parsing here
-    return aarules.Raw_Ptrace_Rule(line)
-
 def parse_pivot_root_rule(line):
     # XXX Do real parsing here
     return aarules.Raw_Pivot_Root_Rule(line)
@@ -3332,22 +3313,10 @@ def write_signal(prof_data, depth):
         data = prof_data['signal'].get_clean(depth)
     return data
 
-def write_ptrace_rules(prof_data, depth, allow):
-    pre = '  ' * depth
-    data = []
-
-    # no ptrace rules, so return
-    if not prof_data[allow].get('ptrace', False):
-        return data
-
-    for ptrace_rule in prof_data[allow]['ptrace']:
-        data.append('%s%s' % (pre, ptrace_rule.serialize()))
-    data.append('')
-    return data
-
 def write_ptrace(prof_data, depth):
-    data = write_ptrace_rules(prof_data, depth, 'deny')
-    data += write_ptrace_rules(prof_data, depth, 'allow')
+    data = []
+    if prof_data.get('ptrace', False):
+        data = prof_data['ptrace'].get_clean(depth)
     return data
 
 def write_pivot_root_rules(prof_data, depth, allow):

utils/apparmor/logparser.py

@@ -140,6 +140,8 @@ class ReadLog:
         elif ev['operation'] and ev['operation'] == 'signal':
             ev['signal'] = event.signal
             ev['peer'] = event.peer
+        elif ev['operation'] and ev['operation'] == 'ptrace':
+            ev['peer'] = event.peer
 
         LibAppArmor.free_record(event)
 

utils/apparmor/rules.py

@@ -71,9 +71,6 @@ class Raw_DBUS_Rule(_Raw_Rule):
 class Raw_Mount_Rule(_Raw_Rule):
     pass
 
-class Raw_Ptrace_Rule(_Raw_Rule):
-    pass
-
 class Raw_Pivot_Root_Rule(_Raw_Rule):
     pass
 

utils/test/test-parser-simple-tests.py

@@ -125,15 +125,9 @@ exception_not_raised = [
     'profile/flags/flags_bad_debug_3.sd',
     'profile/flags/flags_bad_debug_4.sd',
     'profile/simple_bad_no_close_brace4.sd',
-    'ptrace/bad_01.sd',
-    'ptrace/bad_02.sd',
-    'ptrace/bad_03.sd',
-    'ptrace/bad_04.sd',
-    'ptrace/bad_05.sd',
-    'ptrace/bad_06.sd',
-    'ptrace/bad_07.sd',
-    'ptrace/bad_08.sd',
-    'ptrace/bad_10.sd',
+    'ptrace/bad_05.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
+    'ptrace/bad_06.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
+    'ptrace/bad_10.sd',  # peer with invalid regex
     'signal/bad_21.sd',  # invalid regex
     'unix/bad_attr_1.sd',
     'unix/bad_attr_2.sd',