mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

Convert RE_PROFILE_BARE_FILE_ENTRY and the code using it to named

Browse Source 
match groups. 

Also split out RE_OWNER that matches the "owner" keyword.

To make the code easier to understand, I dropped the existing audit
variable and instead directly query the "new" audit variable while 
filling path_rule['audit'].


Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz
2014-10-08 12:31:56 +02:00
parent 3b5bede154
commit f1c86e2486
1 changed files with 10 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
utils/apparmor/aa.py
View File

@@ -2609,6 +2609,7 @@ def attach_profile_data(profiles, profile_data):
## Profile parsing Regex ## Profile parsing Regex
RE_AUDIT_DENY = '^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+)?' # line start, optionally: leading whitespace, <audit> and <allow>/deny RE_AUDIT_DENY = '^\s*(?P<audit>audit\s+)?(?P<allow>allow\s+|deny\s+)?' # line start, optionally: leading whitespace, <audit> and <allow>/deny
RE_OWNER = '(?P<owner>owner\s+)?' # optionally: <owner>
RE_EOL = '\s*(?P<comment>#.*)?$' # optional whitespace, optional <comment>, end of the line RE_EOL = '\s*(?P<comment>#.*)?$' # optional whitespace, optional <comment>, end of the line
RE_COMMA_EOL = '\s*,' + RE_EOL # optional whitespace, comma + RE_EOL RE_COMMA_EOL = '\s*,' + RE_EOL # optional whitespace, comma + RE_EOL
@@ -2624,8 +2625,8 @@ RE_PROFILE_VARIABLE = re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?'
RE_PROFILE_CONDITIONAL = re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL) RE_PROFILE_CONDITIONAL = re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL)
RE_PROFILE_CONDITIONAL_VARIABLE = re.compile('^\s*if\s+(not\s+)?defined\s+(@\{?\w+\}?)\s*\{\s*(#.*)?$') RE_PROFILE_CONDITIONAL_VARIABLE = re.compile('^\s*if\s+(not\s+)?defined\s+(@\{?\w+\}?)\s*\{\s*(#.*)?$')
RE_PROFILE_CONDITIONAL_BOOLEAN = re.compile('^\s*if\s+(not\s+)?defined\s+(\$\{?\w+\}?)\s*\{\s*(#.*)?$') RE_PROFILE_CONDITIONAL_BOOLEAN = re.compile('^\s*if\s+(not\s+)?defined\s+(\$\{?\w+\}?)\s*\{\s*(#.*)?$')
RE_PROFILE_BARE_FILE_ENTRY = re.compile(RE_AUDIT_DENY + '(owner\s+)?file' + RE_COMMA_EOL) RE_PROFILE_BARE_FILE_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + 'file' + RE_COMMA_EOL)
RE_PROFILE_PATH_ENTRY = re.compile(RE_AUDIT_DENY + '(owner\s+)?(file\s+)?([\"@/].*?)\s+(\S+)(\s+->\s*(.*?))?' + RE_COMMA_EOL) RE_PROFILE_PATH_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + '(file\s+)?([\"@/].*?)\s+(\S+)(\s+->\s*(.*?))?' + RE_COMMA_EOL)
RE_PROFILE_NETWORK = re.compile(RE_AUDIT_DENY + 'network(.*)' + RE_EOL) RE_PROFILE_NETWORK = re.compile(RE_AUDIT_DENY + 'network(.*)' + RE_EOL)
RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$') RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')
RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$') RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')
@@ -2861,26 +2862,23 @@ def parse_profile_data(data, file, do_include):
pass pass
elif RE_PROFILE_BARE_FILE_ENTRY.search(line): elif RE_PROFILE_BARE_FILE_ENTRY.search(line):
matches = RE_PROFILE_BARE_FILE_ENTRY.search(line).groups() matches = RE_PROFILE_BARE_FILE_ENTRY.search(line)
if not profile: if not profile:
raise AppArmorException(_('Syntax Error: Unexpected bare file rule found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 }) raise AppArmorException(_('Syntax Error: Unexpected bare file rule found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
allow = 'allow' audit, allow, allow_keyword = parse_audit_allow(matches)
if matches[1] and matches[1].strip() == 'deny': # TODO: honor allow_keyword
allow = 'deny'
mode = apparmor.aamode.AA_BARE_FILE_MODE mode = apparmor.aamode.AA_BARE_FILE_MODE
if not matches[2]: if not matches.group('owner'):
mode |= AA_OTHER(apparmor.aamode.AA_BARE_FILE_MODE) mode |= AA_OTHER(apparmor.aamode.AA_BARE_FILE_MODE)
audit = set()
if matches[0]:
audit = mode
path_rule = profile_data[profile][hat][allow]['path'][ALL] path_rule = profile_data[profile][hat][allow]['path'][ALL]
path_rule['mode'] = mode path_rule['mode'] = mode
path_rule['audit'] = audit path_rule['audit'] = set()
if audit:
path_rule['audit'] = mode
path_rule['file_prefix'] = True path_rule['file_prefix'] = True
elif RE_PROFILE_PATH_ENTRY.search(line): elif RE_PROFILE_PATH_ENTRY.search(line):