mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

Break lines before binary operators.

Browse Source
This commit is contained in:
Mark Grassi 2022-08-07 17:06:08 -04:00
parent ef2e6c62e7
commit ea3fb60007
14 changed files with 111 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libraries/libapparmor/swig/python/test/test_python.py.in
View File

@ -75,8 +75,8 @@ class AAPythonBindingsTests(unittest.TestCase):
expected = self.parse_output_file(outfile)
self.assertEqual(expected, record,
"expected records did not match\n" +
"expected = %s\nactual = %s" % (expected, record))
"expected records did not match\n"
"expected = %s\nactual = %s" % (expected, record))
def parse_output_file(self, outfile):
"""parse testcase .out file and return dict"""

6
tests/bin/shellcheck-tree
View File

@ -10,10 +10,10 @@ from pathlib import Path
def is_excluded(f):
return (re.match(
# skip test scripts and the rc.apparmor.slackware initscript
r"^([.]git/|parser/tst/|tests/|utils/test/|parser/rc[.]apparmor[.]slackware)" +
"|" +
r"^([.]git/|parser/tst/|tests/|utils/test/|parser/rc[.]apparmor[.]slackware)"
+ "|"
# skip several files generated during libapparmor build
r"^libraries/libapparmor/(compile|config[.]guess|config[.]status|config[.]sub|configure|depcomp|install-sh|libtool|ltmain[.]sh|missing|test-driver|ylwrap|testsuite/test_multi[.]multi)",
+ r"^libraries/libapparmor/(compile|config[.]guess|config[.]status|config[.]sub|configure|depcomp|install-sh|libtool|ltmain[.]sh|missing|test-driver|ylwrap|testsuite/test_multi[.]multi)",
f,
) or Path(f).is_dir())

4
utils/apparmor/aa.py
View File

@ -1922,8 +1922,8 @@ def parse_profile_data(data, file, do_include, in_preamble):
if profile_data.get(profname, False):
raise AppArmorException(
'Profile %(profile)s defined twice in %(file)s, last found in line %(line)s' %
{'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat)})
'Profile %(profile)s defined twice in %(file)s, last found in line %(line)s'
% {'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat)})
profile_data[profname] = prof_storage

2
utils/apparmor/common.py
View File

@ -268,7 +268,7 @@ def convert_regexp(regexp):
def user_perm(prof_dir):
if not os.access(prof_dir, os.W_OK):
sys.stdout.write("Cannot write to profile directory.\n" +
sys.stdout.write("Cannot write to profile directory.\n"
"Please run as a user with appropriate permissions.\n")
return False
return True

4
utils/apparmor/logparser.py
View File

@ -285,8 +285,8 @@ class ReadLog:
self.parse_event_for_tree(event)
except AppArmorException as e:
ex_msg = ('%(msg)s\n\nThis error was caused by the log line:\n%(logline)s' %
{'msg': e.value, 'logline': line})
ex_msg = ('%(msg)s\n\nThis error was caused by the log line:\n%(logline)s'
% {'msg': e.value, 'logline': line})
raise AppArmorBug(ex_msg) from None
self.logmark = ''

80
utils/apparmor/regex.py
View File

@ -56,33 +56,33 @@ RE_PROFILE_UNIX = re.compile(RE_AUDIT_DENY + '(unix\s*,|unix\s+[^#]*\s*,)' + RE_
__re_no_or_quoted_hash = '([^#"]|"[^"]*")*'
RE_RULE_HAS_COMMA = re.compile(
'^' + __re_no_or_quoted_hash +
',\s*(#.*)?$') # match comma plus any trailing comment
'^' + __re_no_or_quoted_hash
+ ',\s*(#.*)?$') # match comma plus any trailing comment
RE_HAS_COMMENT_SPLIT = re.compile(
'^(?P<not_comment>' + __re_no_or_quoted_hash + ')' + # store in 'not_comment' group
'(?P<comment>#.*)$') # match trailing comment and store in 'comment' group
'^(?P<not_comment>' + __re_no_or_quoted_hash + ')' # store in 'not_comment' group
+ '(?P<comment>#.*)$') # match trailing comment and store in 'comment' group
RE_PROFILE_START = re.compile(
'^(?P<leadingspace>\s*)' +
'(' +
RE_PROFILE_PATH_OR_VAR % 'plainprofile' + # just a path
'|' + # or
'(' + 'profile' + '\s+' + RE_PROFILE_NAME % 'namedprofile' + '(\s+' + RE_PROFILE_PATH_OR_VAR % 'attachment' + ')?' + ')' + # 'profile', profile name, optionally attachment
')' +
RE_XATTRS +
RE_FLAGS +
'\s*\{' +
RE_EOL)
'^(?P<leadingspace>\s*)'
+ '('
+ RE_PROFILE_PATH_OR_VAR % 'plainprofile' # just a path
+ '|' # or
+ '(' + 'profile' + '\s+' + RE_PROFILE_NAME % 'namedprofile' + '(\s+' + RE_PROFILE_PATH_OR_VAR % 'attachment' + ')?' + ')' # 'profile', profile name, optionally attachment
+ ')'
+ RE_XATTRS
+ RE_FLAGS
+ '\s*\{'
+ RE_EOL)
RE_PROFILE_CHANGE_PROFILE = re.compile(
RE_AUDIT_DENY +
'change_profile' +
'(\s+' + RE_SAFE_OR_UNSAFE + ')?' + # optionally exec mode
'(\s+' + RE_PROFILE_PATH_OR_VAR % 'execcond' + ')?' + # optionally exec condition
'(\s+->\s*' + RE_PROFILE_NAME % 'targetprofile' + ')?' + # optionally '->' target profile
RE_COMMA_EOL)
RE_AUDIT_DENY
+ 'change_profile'
+ '(\s+' + RE_SAFE_OR_UNSAFE + ')?' # optionally exec mode
+ '(\s+' + RE_PROFILE_PATH_OR_VAR % 'execcond' + ')?' # optionally exec condition
+ '(\s+->\s*' + RE_PROFILE_NAME % 'targetprofile' + ')?' # optionally '->' target profile
+ RE_COMMA_EOL)
# RE_PATH_PERMS is as restrictive as possible, but might still cause mismatches when adding different rule types.
@ -90,26 +90,26 @@ RE_PROFILE_CHANGE_PROFILE = re.compile(
RE_PATH_PERMS = '(?P<%s>[mrwalkPUCpucix]+)'
RE_PROFILE_FILE_ENTRY = re.compile(
RE_AUDIT_DENY +
'(?P<owner>owner\s+)?' + # optionally: <owner>
'(' +
'(?P<bare_file>file)' + # bare 'file,'
'|' + # or
'(?P<file_keyword>file\s+)?' + # optional 'file' keyword
'(' +
RE_PROFILE_PATH_OR_VAR % 'path' + '\s+' + RE_PATH_PERMS % 'perms' + # path and perms
'|' + # or
RE_PATH_PERMS % 'perms2' + '\s+' + RE_PROFILE_PATH_OR_VAR % 'path2' + # perms and path
')' +
'(\s+->\s*' + RE_PROFILE_NAME % 'target' + ')?' +
'|' + # or
'(?P<link_keyword>link\s+)' + # 'link' keyword
'(?P<subset_keyword>subset\s+)?' + # optional 'subset' keyword
RE_PROFILE_PATH_OR_VAR % 'link_path' + # path
'\s+' + '->' + '\s+' + # ' -> '
RE_PROFILE_PATH_OR_VAR % 'link_target' + # path
')' +
RE_COMMA_EOL)
RE_AUDIT_DENY
+ '(?P<owner>owner\s+)?' # optionally: <owner>
+ '('
+ '(?P<bare_file>file)' # bare 'file,'
+ '|' # or
+ '(?P<file_keyword>file\s+)?' # optional 'file' keyword
+ '('
+ RE_PROFILE_PATH_OR_VAR % 'path' + '\s+' + RE_PATH_PERMS % 'perms' # path and perms
+ '|' # or
+ RE_PATH_PERMS % 'perms2' + '\s+' + RE_PROFILE_PATH_OR_VAR % 'path2' # perms and path
+ ')'
+ '(\s+->\s*' + RE_PROFILE_NAME % 'target' + ')?'
+ '|' # or
+ '(?P<link_keyword>link\s+)' # 'link' keyword
+ '(?P<subset_keyword>subset\s+)?' # optional 'subset' keyword
+ RE_PROFILE_PATH_OR_VAR % 'link_path' # path
+ '\s+' + '->' + '\s+' # ' -> '
+ RE_PROFILE_PATH_OR_VAR % 'link_target' # path
+ ')'
+ RE_COMMA_EOL)
def parse_profile_start_line(line, filename):

8
utils/apparmor/rule/__init__.py
View File

@ -508,15 +508,15 @@ def check_and_split_list(lst, allowed_keywords, all_obj, classname, keyword_name
result_list = set(lst)
else:
raise AppArmorBug(
'Passed unknown %(type)s object to %(classname)s: %(unknown_object)s' %
{'type': type(lst), 'classname': classname, 'unknown_object': str(lst)})
'Passed unknown %(type)s object to %(classname)s: %(unknown_object)s'
% {'type': type(lst), 'classname': classname, 'unknown_object': str(lst)})
unknown_items = set()
for item in result_list:
if not item.strip():
raise AppArmorBug(
'Passed empty %(keyword_name)s to %(classname)s' %
{'keyword_name': keyword_name, 'classname': classname})
'Passed empty %(keyword_name)s to %(classname)s'
% {'keyword_name': keyword_name, 'classname': classname})
if item not in allowed_keywords:
unknown_items.add(item)

42
utils/apparmor/rule/dbus.py
View File

@ -41,27 +41,27 @@ RE_FLAG = '(?P<%s>(\S+|"[^"]+"|\(\s*\S+\s*\)|\(\s*"[^"]+"\)\s*))' # string with
# XXX this regex will allow repeated parameters, last one wins
# XXX (the parser will reject such rules)
RE_DBUS_DETAILS = re.compile(
'^' +
'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' + # optional access keyword(s)
'((\s+(bus\s*=\s*' + RE_FLAG % 'bus' + '))?|' + # optional bus= system | session | AARE, (...) optional
'(\s+(path\s*=\s*' + RE_FLAG % 'path' + '))?|' + # optional path=AARE, (...) optional
'(\s+(name\s*=\s*' + RE_FLAG % 'name' + '))?|' + # optional name=AARE, (...) optional
'(\s+(interface\s*=\s*' + RE_FLAG % 'interface' + '))?|' + # optional interface=AARE, (...) optional
'(\s+(member\s*=\s*' + RE_FLAG % 'member' + '))?|' + # optional member=AARE, (...) optional
'(\s+(peer\s*=\s*\((,|\s)*' + # optional peer=(name=AARE and/or label=AARE), (...) required
'(' +
'(' + '(,|\s)*' + ')' + # empty peer=()
'|' # or
'(' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername1' + ')' + # only peer name (match group peername1)
'|' # or
'(' + 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel1' + ')' + # only peer label (match group peerlabel1)
'|' # or
'(' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername2' + '(,|\s)+' + 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel2' + ')' + # peer name + label (match name peername2/peerlabel2)
'|' # or
'(' + 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel3' + '(,|\s)+' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername3' + ')' + # peer label + name (match name peername3/peerlabel3)
')'
'(,|\s)*\)))?){0,6}'
'\s*$')
'^'
+ '(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' # optional access keyword(s)
+ '((\s+(bus\s*=\s*' + RE_FLAG % 'bus' + '))?|' # optional bus= system | session | AARE, (...) optional
+ '(\s+(path\s*=\s*' + RE_FLAG % 'path' + '))?|' # optional path=AARE, (...) optional
+ '(\s+(name\s*=\s*' + RE_FLAG % 'name' + '))?|' # optional name=AARE, (...) optional
+ '(\s+(interface\s*=\s*' + RE_FLAG % 'interface' + '))?|' # optional interface=AARE, (...) optional
+ '(\s+(member\s*=\s*' + RE_FLAG % 'member' + '))?|' # optional member=AARE, (...) optional
+ '(\s+(peer\s*=\s*\((,|\s)*' # optional peer=(name=AARE and/or label=AARE), (...) required
+ '('
+ '(' + '(,|\s)*' + ')' # empty peer=()
+ '|' # or
+ '(' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername1' + ')' # only peer name (match group peername1)
+ '|' # or
+ '(' 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel1' + ')' # only peer label (match group peerlabel1)
+ '|' # or
+ '(' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername2' + '(,|\s)+' + 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel2' + ')' # peer name + label (match name peername2/peerlabel2)
+ '|' # or
+ '(' + 'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel3' + '(,|\s)+' + 'name\s*=\s*' + RE_PROFILE_NAME % 'peername3' + ')' # peer label + name (match name peername3/peerlabel3)
+ ')'
+ '(,|\s)*\)))?){0,6}'
+ '\s*$')
class DbusRule(BaseRule):

8
utils/apparmor/rule/network.py
View File

@ -39,10 +39,10 @@ RE_NETWORK_TYPE = '(' + '|'.join(network_type_keywords) + ')'
RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')'
RE_NETWORK_DETAILS = re.compile(
'^\s*' +
'(?P<domain>' + RE_NETWORK_DOMAIN + ')?' + # optional domain
'(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' + # optional type or protocol
'\s*$')
'^\s*'
+ '(?P<domain>' + RE_NETWORK_DOMAIN + ')?' # optional domain
+ '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' # optional type or protocol
+ '\s*$')
class NetworkRule(BaseRule):

15
utils/apparmor/rule/ptrace.py
View File

@ -27,17 +27,16 @@ access_keywords = ['r', 'w', 'rw', 'wr', 'read', 'write', 'readby', 'trace', 'tr
# XXX joint_access_keyword and RE_ACCESS_KEYWORDS exactly as in PtraceRule - move to function!
joint_access_keyword = '\s*(' + '|'.join(access_keywords) + ')\s*'
RE_ACCESS_KEYWORDS = (joint_access_keyword + # one of the access_keyword or
'|' + # or
'\(' + joint_access_keyword + '(' + '(\s|,)+' + joint_access_keyword + ')*' + '\)' # one or more access_keyword in (...)
)
RE_ACCESS_KEYWORDS = (joint_access_keyword # one of the access_keyword or
+ '|' # or
+ '\(' + joint_access_keyword + '(' + '(\s|,)+' + joint_access_keyword + ')*' + '\)') # one or more access_keyword in (...)
RE_PTRACE_DETAILS = re.compile(
'^' +
'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' + # optional access keyword(s)
'(\s+(peer=' + RE_PROFILE_NAME % 'peer' + '))?' + # optional peer
'\s*$')
'^'
+ '(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' # optional access keyword(s)
+ '(\s+(peer=' + RE_PROFILE_NAME % 'peer' + '))?' # optional peer
+ '\s*$')
class PtraceRule(BaseRule):

22
utils/apparmor/rule/signal.py
View File

@ -39,25 +39,25 @@ RE_SIGNAL_REALTIME = re.compile('^rtmin\+0*([0-9]|[12][0-9]|3[0-2])$') # rtmin+
joint_access_keyword = '\s*(' + '|'.join(access_keywords) + ')\s*'
RE_ACCESS_KEYWORDS = (
joint_access_keyword + # one of the access_keyword or
'|' + # or
'\(' + joint_access_keyword + '(' + '(\s|,)+' + joint_access_keyword + ')*' + '\)' # one or more access_keyword in (...)
joint_access_keyword # one of the access_keyword or
+ '|' # or
+ '\(' + joint_access_keyword + '(' + '(\s|,)+' + joint_access_keyword + ')*' + '\)' # one or more access_keyword in (...)
)
signal_keyword = '\s*([a-z0-9+]+|"[a-z0-9+]+")\s*' # don't check against the signal keyword list in the regex to allow a more helpful error message
RE_SIGNAL_KEYWORDS = (
'set\s*=\s*' + signal_keyword + # one of the signal_keyword or
'|' + # or
'set\s*=\s*\(' + signal_keyword + '(' + '(\s|,)+' + signal_keyword + ')*' + '\)' # one or more signal_keyword in (...)
'set\s*=\s*' + signal_keyword # one of the signal_keyword or
+ '|' # or
+ 'set\s*=\s*\(' + signal_keyword + '(' + '(\s|,)+' + signal_keyword + ')*' + '\)' # one or more signal_keyword in (...)
)
RE_SIGNAL_DETAILS = re.compile(
'^' +
'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' + # optional access keyword(s)
'(?P<signal>' + '(\s+(' + RE_SIGNAL_KEYWORDS + '))+' + ')?' + # optional signal set(s)
'(\s+(peer=' + RE_PROFILE_NAME % 'peer' + '))?' + # optional peer
'\s*$')
'^'
+ '(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' # optional access keyword(s)
+ '(?P<signal>' + '(\s+(' + RE_SIGNAL_KEYWORDS + '))+' + ')?' # optional signal set(s)
+ '(\s+(peer=' + RE_PROFILE_NAME % 'peer' + '))?' # optional peer
+ '\s*$')
RE_FILTER_SET_1 = re.compile('set\s*=\s*\(([^)]*)\)')

4
utils/apparmor/sandbox.py
View File

@ -607,8 +607,8 @@ EndSection
started = False
# We need to wait for the xpra socket to exist before attaching
fn = os.path.join(os.environ['HOME'], '.xpra', '%s-%s' %
(socket.gethostname(), self.display.split(':')[1]))
fn = os.path.join(os.environ['HOME'], '.xpra', '%s-%s'
% (socket.gethostname(), self.display.split(':')[1]))
for i in range(self.timeout * 2): # up to self.timeout seconds to start
if os.path.exists(fn):
debug("Found '%s'! Proceeding to attach" % fn)

16
utils/test/test-aa-easyprof.py
View File

@ -561,8 +561,8 @@ POLICYGROUPS_DIR="%s/templates"
args = self.full_args
args.append('--list-templates')
args.append('--include-templates-dir=%s' %
os.path.join(self.test_include_dir, 'templates'))
args.append('--include-templates-dir=%s'
% os.path.join(self.test_include_dir, 'templates'))
(self.options, self.args) = easyprof.parse_args(args)
easyp = easyprof.AppArmorEasyProfile(None, self.options)
@ -580,8 +580,8 @@ POLICYGROUPS_DIR="%s/templates"
args = self.full_args
args += ['--show-template',
'--template', f,
'--include-templates-dir=%s' %
os.path.join(self.test_include_dir, 'templates')]
'--include-templates-dir=%s'
% os.path.join(self.test_include_dir, 'templates')]
(self.options, self.args) = easyprof.parse_args(args)
easyp = easyprof.AppArmorEasyProfile(None, self.options)
@ -634,8 +634,8 @@ POLICYGROUPS_DIR="%s/templates"
args = self.full_args
args.append('--list-policy-groups')
args.append('--include-policy-groups-dir=%s' %
os.path.join(self.test_include_dir, 'policygroups'))
args.append('--include-policy-groups-dir=%s'
% os.path.join(self.test_include_dir, 'policygroups'))
(self.options, self.args) = easyprof.parse_args(args)
easyp = easyprof.AppArmorEasyProfile(None, self.options)
@ -653,8 +653,8 @@ POLICYGROUPS_DIR="%s/templates"
args = self.full_args
args += ['--show-policy-group',
'--policy-groups', os.path.basename(f),
'--include-policy-groups-dir=%s' %
os.path.join(self.test_include_dir, 'policygroups')]
'--include-policy-groups-dir=%s'
% os.path.join(self.test_include_dir, 'policygroups')]
(self.options, self.args) = easyprof.parse_args(args)
easyp = easyprof.AppArmorEasyProfile(None, self.options)

8
utils/test/test-aa-notify.py
View File

@ -116,10 +116,10 @@ Feb 4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoc
with NamedTemporaryFile("w+", prefix='test-aa-notify-', delete=False) as temp_file:
self.test_logfile = temp_file.name
temp_file.write(
test_logfile_contents_999_days_old +
test_logfile_contents_30_days_old +
test_logfile_contents_unrelevant_entries +
test_logfile_contents_0_seconds_old
test_logfile_contents_999_days_old
+ test_logfile_contents_30_days_old
+ test_logfile_contents_unrelevant_entries
+ test_logfile_contents_0_seconds_old
)
def AATeardown(self):