mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

aa-mergeprof: fixup some of the whitespace issues

Browse Source
This commit is contained in:
Steve Beattie
2014-02-13 08:31:59 -08:00
parent d318ff6100
commit f652178a02
1 changed files with 90 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

183
utils/aa-mergeprof
View File

@@ -34,18 +34,19 @@ args = parser.parse_args()
profiles = [args.mine, args.base, args.other] profiles = [args.mine, args.base, args.other]
def main(): def main():
mergeprofiles = Merge(profiles) mergeprofiles = Merge(profiles)
#Get rid of common/superfluous stuff #Get rid of common/superfluous stuff
mergeprofiles.clear_common() mergeprofiles.clear_common()
if not args.auto: if not args.auto:
mergeprofiles.ask_the_questions('other') mergeprofiles.ask_the_questions('other')
mergeprofiles.clear_common() mergeprofiles.clear_common()
mergeprofiles.ask_the_questions('base') mergeprofiles.ask_the_questions('base')
q = apparmor.aa.hasher() q = apparmor.aa.hasher()
q['title'] = 'Changed Local Profiles' q['title'] = 'Changed Local Profiles'
q['headers'] = [] q['headers'] = []
@@ -69,7 +70,7 @@ def main():
#oldprofile = apparmor.serialize_profile(apparmor.original_aa[program], program, '') #oldprofile = apparmor.serialize_profile(apparmor.original_aa[program], program, '')
newprofile = apparmor.aa.serialize_profile(mergeprofiles.user.aa[program], program, '') newprofile = apparmor.aa.serialize_profile(mergeprofiles.user.aa[program], program, '')
apparmor.aa.display_changes_with_comments(mergeprofiles.user.filename, newprofile) apparmor.aa.display_changes_with_comments(mergeprofiles.user.filename, newprofile)
class Merge(object): class Merge(object):
def __init__(self, profiles): def __init__(self, profiles):
@@ -103,11 +104,11 @@ class Merge(object):
#Remove off the parts in other profile which are common/superfluous from user profile #Remove off the parts in other profile which are common/superfluous from user profile
user_other = cleanprofile.CleanProf(False, self.user, self.other) user_other = cleanprofile.CleanProf(False, self.user, self.other)
deleted += user_other.compare_profiles() deleted += user_other.compare_profiles()
#Remove off the parts in base profile which are common/superfluous from user profile #Remove off the parts in base profile which are common/superfluous from user profile
user_base = cleanprofile.CleanProf(False, self.user, self.base) user_base = cleanprofile.CleanProf(False, self.user, self.base)
deleted += user_base.compare_profiles() deleted += user_base.compare_profiles()
#Remove off the parts in other profile which are common/superfluous from base profile #Remove off the parts in other profile which are common/superfluous from base profile
# base_other = cleanprofile.CleanProf(False, self.base, self.other) # XXX base_other not used? # base_other = cleanprofile.CleanProf(False, self.base, self.other) # XXX base_other not used?
deleted += user_base.compare_profiles() deleted += user_base.compare_profiles()
@@ -147,14 +148,14 @@ class Merge(object):
else: else:
raise apparmor.aa.AppArmorException(_('Unknown selection')) raise apparmor.aa.AppArmorException(_('Unknown selection'))
done = True done = True
def ask_the_questions(self, other): def ask_the_questions(self, other):
if other == 'other': if other == 'other':
other = self.other other = self.other
else: else:
other = self.base other = self.base
#print(other.aa) #print(other.aa)
#Add the file-wide includes from the other profile to the user profile #Add the file-wide includes from the other profile to the user profile
done = False done = False
options = list(map(lambda inc: '#include <%s>' %inc, sorted(other.filelist[other.filename]['include'].keys()))) options = list(map(lambda inc: '#include <%s>' %inc, sorted(other.filelist[other.filename]['include'].keys())))
@@ -175,8 +176,7 @@ class Merge(object):
self.user.filelist[self.user.filename]['include'][inc] = True self.user.filelist[self.user.filename]['include'][inc] = True
options.pop(selected) options.pop(selected)
apparmor.aa.UI_Info(_('Adding %s to the file.') % selection) apparmor.aa.UI_Info(_('Adding %s to the file.') % selection)
sev_db = apparmor.aa.sev_db sev_db = apparmor.aa.sev_db
if not sev_db: if not sev_db:
sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown')) sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
@@ -205,7 +205,7 @@ class Merge(object):
apparmor.aa.UI_Info(_('Adding %s to the file.') % selection) apparmor.aa.UI_Info(_('Adding %s to the file.') % selection)
if deleted: if deleted:
apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
#Add the capabilities #Add the capabilities
for allow in ['allow', 'deny']: for allow in ['allow', 'deny']:
if other.aa[profile][hat].get(allow, False): if other.aa[profile][hat].get(allow, False):
@@ -218,22 +218,22 @@ class Merge(object):
q = apparmor.aa.hasher() q = apparmor.aa.hasher()
if newincludes: if newincludes:
options += list(map(lambda inc: '#include <%s>' %inc, sorted(set(newincludes)))) options += list(map(lambda inc: '#include <%s>' %inc, sorted(set(newincludes))))
if options: if options:
options.append('capability %s' % capability) options.append('capability %s' % capability)
q['options'] = [options] q['options'] = [options]
q['selected'] = default_option - 1 q['selected'] = default_option - 1
q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat)] q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
q['headers'] += [_('Capability'), capability] q['headers'] += [_('Capability'), capability]
q['headers'] += [_('Severity'), severity] q['headers'] += [_('Severity'), severity]
audit_toggle = 0 audit_toggle = 0
q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED'] q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED']
q['default'] = 'CMD_ALLOW' q['default'] = 'CMD_ALLOW'
done = False done = False
while not done: while not done:
ans, selected = apparmor.aa.UI_PromptUser(q) ans, selected = apparmor.aa.UI_PromptUser(q)
@@ -241,7 +241,7 @@ class Merge(object):
if ans == 'CMD_IGNORE_ENTRY': if ans == 'CMD_IGNORE_ENTRY':
done = True done = True
break break
if ans == 'CMD_ALLOW': if ans == 'CMD_ALLOW':
selection = '' selection = ''
if options: if options:
@@ -252,28 +252,28 @@ class Merge(object):
inc = match inc = match
deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc) deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc)
self.user.aa[profile][hat]['include'][inc] = True self.user.aa[profile][hat]['include'][inc] = True
apparmor.aa.UI_Info(_('Adding %s to profile.') % selection) apparmor.aa.UI_Info(_('Adding %s to profile.') % selection)
if deleted: if deleted:
apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
self.user.aa[profile][hat]['allow']['capability'][capability]['set'] = True self.user.aa[profile][hat]['allow']['capability'][capability]['set'] = True
self.user.aa[profile][hat]['allow']['capability'][capability]['audit'] = other.aa[profile][hat]['allow']['capability'][capability]['audit'] self.user.aa[profile][hat]['allow']['capability'][capability]['audit'] = other.aa[profile][hat]['allow']['capability'][capability]['audit']
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
apparmor.aa.UI_Info(_('Adding capability %s to profile.'), capability) apparmor.aa.UI_Info(_('Adding capability %s to profile.'), capability)
done = True done = True
elif ans == 'CMD_DENY': elif ans == 'CMD_DENY':
self.user.aa[profile][hat]['deny']['capability'][capability]['set'] = True self.user.aa[profile][hat]['deny']['capability'][capability]['set'] = True
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
apparmor.aa.UI_Info(_('Denying capability %s to profile.') % capability) apparmor.aa.UI_Info(_('Denying capability %s to profile.') % capability)
done = True done = True
else: else:
done = False done = False
# Process all the path entries. # Process all the path entries.
for allow in ['allow', 'deny']: for allow in ['allow', 'deny']:
for path in sorted(other.aa[profile][hat][allow]['path'].keys()): for path in sorted(other.aa[profile][hat][allow]['path'].keys()):
@@ -290,37 +290,37 @@ class Merge(object):
allow_audit = set() allow_audit = set()
deny_mode = set() deny_mode = set()
deny_audit = set() deny_audit = set()
fmode, famode, fm = apparmor.aa.rematchfrag(self.user.aa[profile][hat], 'allow', path) fmode, famode, fm = apparmor.aa.rematchfrag(self.user.aa[profile][hat], 'allow', path)
if fmode: if fmode:
allow_mode |= fmode allow_mode |= fmode
if famode: if famode:
allow_audit |= famode allow_audit |= famode
cm, cam, m = apparmor.aa.rematchfrag(self.user.aa[profile][hat], 'deny', path) cm, cam, m = apparmor.aa.rematchfrag(self.user.aa[profile][hat], 'deny', path)
if cm: if cm:
deny_mode |= cm deny_mode |= cm
if cam: if cam:
deny_audit |= cam deny_audit |= cam
imode, iamode, im = apparmor.aa.match_prof_incs_to_path(self.user.aa[profile][hat], 'allow', path) imode, iamode, im = apparmor.aa.match_prof_incs_to_path(self.user.aa[profile][hat], 'allow', path)
if imode: if imode:
allow_mode |= imode allow_mode |= imode
if iamode: if iamode:
allow_audit |= iamode allow_audit |= iamode
cm, cam, m = apparmor.aa.match_prof_incs_to_path(self.user.aa[profile][hat], 'deny', path) cm, cam, m = apparmor.aa.match_prof_incs_to_path(self.user.aa[profile][hat], 'deny', path)
if cm: if cm:
deny_mode |= cm deny_mode |= cm
if cam: if cam:
deny_audit |= cam deny_audit |= cam
if deny_mode & apparmor.aa.AA_MAY_EXEC: if deny_mode & apparmor.aa.AA_MAY_EXEC:
deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE deny_mode |= apparmor.aamode.ALL_AA_EXEC_TYPE
# Mask off the denied modes # Mask off the denied modes
mode = mode - deny_mode mode = mode - deny_mode
# If we get an exec request from some kindof event that generates 'PERMITTING X' # If we get an exec request from some kindof event that generates 'PERMITTING X'
# check if its already in allow_mode # check if its already in allow_mode
# if not add ix permission # if not add ix permission
@@ -329,32 +329,32 @@ class Merge(object):
mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE mode = mode - apparmor.aamode.ALL_AA_EXEC_TYPE
if not allow_mode & apparmor.aa.AA_MAY_EXEC: if not allow_mode & apparmor.aa.AA_MAY_EXEC:
mode |= apparmor.aa.str_to_mode('ix') mode |= apparmor.aa.str_to_mode('ix')
# m is not implied by ix # m is not implied by ix
### If we get an mmap request, check if we already have it in allow_mode ### If we get an mmap request, check if we already have it in allow_mode
##if mode & AA_EXEC_MMAP: ##if mode & AA_EXEC_MMAP:
## # ix implies m, so we don't need to add m if ix is present ## # ix implies m, so we don't need to add m if ix is present
## if contains(allow_mode, 'ix'): ## if contains(allow_mode, 'ix'):
## mode = mode - AA_EXEC_MMAP ## mode = mode - AA_EXEC_MMAP
if not mode: if not mode:
continue continue
matches = [] matches = []
if fmode: if fmode:
matches += fm matches += fm
if imode: if imode:
matches += im matches += im
if not apparmor.aa.mode_contains(allow_mode, mode): if not apparmor.aa.mode_contains(allow_mode, mode):
default_option = 1 default_option = 1
options = [] options = []
newincludes = [] newincludes = []
include_valid = False include_valid = False
for incname in apparmor.aa.include.keys(): for incname in apparmor.aa.include.keys():
include_valid = False include_valid = False
# If already present skip # If already present skip
@@ -362,14 +362,14 @@ class Merge(object):
continue continue
if incname.startswith(apparmor.aa.profile_dir): if incname.startswith(apparmor.aa.profile_dir):
incname = incname.replace(apparmor.aa.profile_dir+'/', '', 1) incname = incname.replace(apparmor.aa.profile_dir+'/', '', 1)
include_valid = apparmor.aa.valid_include('', incname) include_valid = apparmor.aa.valid_include('', incname)
if not include_valid: if not include_valid:
continue continue
cm, am, m = apparmor.aa.match_include_to_path(incname, 'allow', path) cm, am, m = apparmor.aa.match_include_to_path(incname, 'allow', path)
if cm and apparmor.aa.mode_contains(cm, mode): if cm and apparmor.aa.mode_contains(cm, mode):
dm = apparmor.aa.match_include_to_path(incname, 'deny', path)[0] dm = apparmor.aa.match_include_to_path(incname, 'deny', path)[0]
# If the mode is denied # If the mode is denied
@@ -389,19 +389,19 @@ class Merge(object):
for user_glob in apparmor.aa.user_globs: for user_glob in apparmor.aa.user_globs:
if apparmor.aa.matchliteral(user_glob, path): if apparmor.aa.matchliteral(user_glob, path):
matches.append(user_glob) matches.append(user_glob)
matches = list(set(matches)) matches = list(set(matches))
if path in matches: if path in matches:
matches.remove(path) matches.remove(path)
options += apparmor.aa.order_globs(matches, path) options += apparmor.aa.order_globs(matches, path)
default_option = len(options) default_option = len(options)
sev_db.unload_variables() sev_db.unload_variables()
sev_db.load_variables(apparmor.aa.get_profile_filename(profile)) sev_db.load_variables(apparmor.aa.get_profile_filename(profile))
severity = sev_db.rank(path, apparmor.aa.mode_to_str(mode)) severity = sev_db.rank(path, apparmor.aa.mode_to_str(mode))
sev_db.unload_variables() sev_db.unload_variables()
audit_toggle = 0 audit_toggle = 0
owner_toggle = 0 owner_toggle = 0
if apparmor.aa.cfg['settings']['default_owner_prompt']: if apparmor.aa.cfg['settings']['default_owner_prompt']:
@@ -411,7 +411,7 @@ class Merge(object):
q = apparmor.aa.hasher() q = apparmor.aa.hasher()
q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat), q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat),
_('Path'), path] _('Path'), path]
if allow_mode: if allow_mode:
mode |= allow_mode mode |= allow_mode
tail = '' tail = ''
@@ -428,7 +428,7 @@ class Merge(object):
else: else:
prompt_mode = apparmor.aa.owner_flatten_mode(mode) prompt_mode = apparmor.aa.owner_flatten_mode(mode)
tail = ' ' + _('(force all rule perms to owner)') tail = ' ' + _('(force all rule perms to owner)')
if audit_toggle == 1: if audit_toggle == 1:
s = apparmor.aa.mode_to_str_user(allow_mode) s = apparmor.aa.mode_to_str_user(allow_mode)
if allow_mode: if allow_mode:
@@ -438,10 +438,10 @@ class Merge(object):
s = 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode) + tail s = 'audit ' + apparmor.aa.mode_to_str_user(prompt_mode) + tail
else: else:
s = apparmor.aa.mode_to_str_user(prompt_mode) + tail s = apparmor.aa.mode_to_str_user(prompt_mode) + tail
q['headers'] += [_('Old Mode'), apparmor.aa.mode_to_str_user(allow_mode), q['headers'] += [_('Old Mode'), apparmor.aa.mode_to_str_user(allow_mode),
_('New Mode'), s] _('New Mode'), s]
else: else:
s = '' s = ''
tail = '' tail = ''
@@ -456,26 +456,26 @@ class Merge(object):
else: else:
prompt_mode = apparmor.aa.owner_flatten_mode(mode) prompt_mode = apparmor.aa.owner_flatten_mode(mode)
tail = ' ' + _('(force perms to owner)') tail = ' ' + _('(force perms to owner)')
s = apparmor.aa.mode_to_str_user(prompt_mode) s = apparmor.aa.mode_to_str_user(prompt_mode)
q['headers'] += [_('Mode'), s] q['headers'] += [_('Mode'), s]
q['headers'] += [_('Severity'), severity] q['headers'] += [_('Severity'), severity]
q['options'] = options q['options'] = options
q['selected'] = default_option - 1 q['selected'] = default_option - 1
q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB',
'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_ABORT',
'CMD_FINISHED', 'CMD_OTHER'] 'CMD_FINISHED', 'CMD_OTHER']
q['default'] = 'CMD_ALLOW' q['default'] = 'CMD_ALLOW'
ans, selected = apparmor.aa.UI_PromptUser(q) ans, selected = apparmor.aa.UI_PromptUser(q)
if ans == 'CMD_IGNORE_ENTRY': if ans == 'CMD_IGNORE_ENTRY':
done = True done = True
break break
if ans == 'CMD_OTHER': if ans == 'CMD_OTHER':
audit_toggle, owner_toggle = apparmor.aa.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode) audit_toggle, owner_toggle = apparmor.aa.UI_ask_mode_toggles(audit_toggle, owner_toggle, allow_mode)
elif ans == 'CMD_USER_TOGGLE': elif ans == 'CMD_USER_TOGGLE':
@@ -497,7 +497,7 @@ class Merge(object):
apparmor.aa.UI_Info(_('Adding %s to profile.') % path) apparmor.aa.UI_Info(_('Adding %s to profile.') % path)
if deleted: if deleted:
apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else: else:
if self.user.aa[profile][hat]['allow']['path'][path].get('mode', False): if self.user.aa[profile][hat]['allow']['path'][path].get('mode', False):
mode |= self.user.aa[profile][hat]['allow']['path'][path]['mode'] mode |= self.user.aa[profile][hat]['allow']['path'][path]['mode']
@@ -505,14 +505,14 @@ class Merge(object):
for entry in self.user.aa[profile][hat]['allow']['path'].keys(): for entry in self.user.aa[profile][hat]['allow']['path'].keys():
if path == entry: if path == entry:
continue continue
if apparmor.aa.matchregexp(path, entry): if apparmor.aa.matchregexp(path, entry):
if apparmor.aa.mode_contains(mode, self.user.aa[profile][hat]['allow']['path'][entry]['mode']): if apparmor.aa.mode_contains(mode, self.user.aa[profile][hat]['allow']['path'][entry]['mode']):
deleted.append(entry) deleted.append(entry)
for entry in deleted: for entry in deleted:
self.user.aa[profile][hat]['allow']['path'].pop(entry) self.user.aa[profile][hat]['allow']['path'].pop(entry)
deleted = len(deleted) deleted = len(deleted)
if owner_toggle == 0: if owner_toggle == 0:
mode = apparmor.aa.flatten_mode(mode) mode = apparmor.aa.flatten_mode(mode)
#elif owner_toggle == 1: #elif owner_toggle == 1:
@@ -521,36 +521,36 @@ class Merge(object):
mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode) mode = allow_mode | apparmor.aa.owner_flatten_mode(mode - allow_mode)
elif owner_toggle == 3: elif owner_toggle == 3:
mode = apparmor.aa.owner_flatten_mode(mode) mode = apparmor.aa.owner_flatten_mode(mode)
if not self.user.aa[profile][hat]['allow'].get(path, False): if not self.user.aa[profile][hat]['allow'].get(path, False):
self.user.aa[profile][hat]['allow']['path'][path]['mode'] = self.user.aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode self.user.aa[profile][hat]['allow']['path'][path]['mode'] = self.user.aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
tmpmode = set() tmpmode = set()
if audit_toggle == 1: if audit_toggle == 1:
tmpmode = mode- allow_mode tmpmode = mode- allow_mode
elif audit_toggle == 2: elif audit_toggle == 2:
tmpmode = mode tmpmode = mode
self.user.aa[profile][hat]['allow']['path'][path]['audit'] = self.user.aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode self.user.aa[profile][hat]['allow']['path'][path]['audit'] = self.user.aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
apparmor.aa.UI_Info(_('Adding %s %s to profile') % (path, apparmor.aa.mode_to_str_user(mode))) apparmor.aa.UI_Info(_('Adding %s %s to profile') % (path, apparmor.aa.mode_to_str_user(mode)))
if deleted: if deleted:
apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
elif ans == 'CMD_DENY': elif ans == 'CMD_DENY':
path = options[selected].strip() path = options[selected].strip()
# Add new entry? # Add new entry?
self.user.aa[profile][hat]['deny']['path'][path]['mode'] = self.user.aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode) self.user.aa[profile][hat]['deny']['path'][path]['mode'] = self.user.aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
self.user.aa[profile][hat]['deny']['path'][path]['audit'] = self.user.aa[profile][hat]['deny']['path'][path].get('audit', set()) self.user.aa[profile][hat]['deny']['path'][path]['audit'] = self.user.aa[profile][hat]['deny']['path'][path].get('audit', set())
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
done = True done = True
elif ans == 'CMD_NEW': elif ans == 'CMD_NEW':
arg = options[selected] arg = options[selected]
if not apparmor.aa.re_match_include(arg): if not apparmor.aa.re_match_include(arg):
@@ -564,29 +564,29 @@ class Merge(object):
apparmor.aa.user_globs.append(ans) apparmor.aa.user_globs.append(ans)
options.append(ans) options.append(ans)
default_option = len(options) default_option = len(options)
elif ans == 'CMD_GLOB': elif ans == 'CMD_GLOB':
newpath = options[selected].strip() newpath = options[selected].strip()
if not apparmor.aa.re_match_include(newpath): if not apparmor.aa.re_match_include(newpath):
newpath = apparmor.aa.glob_path(newpath) newpath = apparmor.aa.glob_path(newpath)
if newpath not in options: if newpath not in options:
options.append(newpath) options.append(newpath)
default_option = len(options) default_option = len(options)
else: else:
default_option = options.index(newpath) + 1 default_option = options.index(newpath) + 1
elif ans == 'CMD_GLOBEXT': elif ans == 'CMD_GLOBEXT':
newpath = options[selected].strip() newpath = options[selected].strip()
if not apparmor.aa.re_match_include(newpath): if not apparmor.aa.re_match_include(newpath):
newpath = apparmor.aa.glob_path_withext(newpath) newpath = apparmor.aa.glob_path_withext(newpath)
if newpath not in options: if newpath not in options:
options.append(newpath) options.append(newpath)
default_option = len(options) default_option = len(options)
else: else:
default_option = options.index(newpath) + 1 default_option = options.index(newpath) + 1
elif re.search('\d', ans): elif re.search('\d', ans):
default_option = ans default_option = ans
@@ -608,24 +608,24 @@ class Merge(object):
options.append('network %s %s' % (family, sock_type)) options.append('network %s %s' % (family, sock_type))
q['options'] = options q['options'] = options
q['selected'] = default_option - 1 q['selected'] = default_option - 1
q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat)] q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
q['headers'] += [_('Network Family'), family] q['headers'] += [_('Network Family'), family]
q['headers'] += [_('Socket Type'), sock_type] q['headers'] += [_('Socket Type'), sock_type]
audit_toggle = 0 audit_toggle = 0
q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW', q['functions'] = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
'CMD_ABORT', 'CMD_FINISHED'] 'CMD_ABORT', 'CMD_FINISHED']
q['default'] = 'CMD_ALLOW' q['default'] = 'CMD_ALLOW'
done = False done = False
while not done: while not done:
ans, selected = apparmor.aa.UI_PromptUser(q) ans, selected = apparmor.aa.UI_PromptUser(q)
if ans == 'CMD_IGNORE_ENTRY': if ans == 'CMD_IGNORE_ENTRY':
done = True done = True
break break
if ans.startswith('CMD_AUDIT'): if ans.startswith('CMD_AUDIT'):
audit_toggle = not audit_toggle audit_toggle = not audit_toggle
audit = '' audit = ''
@@ -639,7 +639,7 @@ class Merge(object):
q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat)] q['headers'] = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
q['headers'] += [_('Network Family'), audit + family] q['headers'] += [_('Network Family'), audit + family]
q['headers'] += [_('Socket Type'), sock_type] q['headers'] += [_('Socket Type'), sock_type]
elif ans == 'CMD_ALLOW': elif ans == 'CMD_ALLOW':
#print(options, selected) #print(options, selected)
selection = options[selected] selection = options[selected]
@@ -648,34 +648,31 @@ class Merge(object):
inc = apparmor.aa.re_match_include(selection) #re.search('#include\s+<(.+)>$', selection).groups()[0] inc = apparmor.aa.re_match_include(selection) #re.search('#include\s+<(.+)>$', selection).groups()[0]
deleted = 0 deleted = 0
deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc) deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc)
self.user.aa[profile][hat]['include'][inc] = True self.user.aa[profile][hat]['include'][inc] = True
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
apparmor.aa.UI_Info(_('Adding %s to profile') % selection) apparmor.aa.UI_Info(_('Adding %s to profile') % selection)
if deleted: if deleted:
apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) apparmor.aa.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
else: else:
self.user.aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle self.user.aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle
self.user.aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True self.user.aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
apparmor.aa.UI_Info(_('Adding network access %s %s to profile.') % (family, sock_type)) apparmor.aa.UI_Info(_('Adding network access %s %s to profile.') % (family, sock_type))
elif ans == 'CMD_DENY': elif ans == 'CMD_DENY':
done = True done = True
self.user.aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True self.user.aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True
apparmor.aa.changed[profile] = True apparmor.aa.changed[profile] = True
apparmor.aa.UI_Info(_('Denying network access %s %s to profile') % (family, sock_type)) apparmor.aa.UI_Info(_('Denying network access %s %s to profile') % (family, sock_type))
else: else:
done = False done = False
if __name__ == '__main__': if __name__ == '__main__':
main() main()