On 03/22/2012 10:06 AM, Steve Beattie wrote:
> This patch replaces the apparmor.vim generating script with a python
> version that eliminates the need for using the replace tool from the
> mysql-server package. It makes use of the automatically generated
> lists of capabilities and network protocols provided by the build
> infrastructure. I did not capture all the notes and TODOs that
> Christian had in the shell script; I can do so if desired.
>
> It also hooks the generation of the apparmor.vim file into the utils/
> build and clean stages.
>
> [Note: the patch doesn't reflect the deletion of the script or the
> apparmor.vim file in the utils/ directory as handling deletions in
> quilt is problematic. But it's intended that the actual commits into
> bzr will also remove these files.]
>
So I am good with this (tentative Ack) but I want to hear from Christian first.
> ---
> utils/Makefile | 2
> utils/vim/Makefile | 17 +++++-
> utils/vim/create-apparmor.vim.py | 108
> +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 125 insertions(+), 2 deletions(-)
>
> Index: b/utils/Makefile
> ===================================================================
> --- a/utils/Makefile
> +++ b/utils/Makefile
> @@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5
>
> all: ${MANPAGES} ${HTMLMANPAGES}
> $(MAKE) -C po all
> + $(MAKE) -C vim all
>
> # need some better way of determining this
> DESTDIR=/
> @@ -67,6 +68,7 @@ clean: _clean
> rm -f core core.* *.o *.s *.a *~
> rm -f Make.rules
> $(MAKE) -C po clean
> + $(MAKE) -C vim clean
>
> # ${CAPABILITIES} is defined in common/Make.rules
> .PHONY: check_severity_db
> Index: b/utils/vim/Makefile
> ===================================================================
> --- a/utils/vim/Makefile
> +++ b/utils/vim/Makefile
> @@ -1,5 +1,18 @@
> -apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh
> - sh create-apparmor.vim.sh
> +COMMONDIR=../../common/
> +
> +all:
> +include common/Make.rules
> +
> +COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
> +ifeq ($(COMMONDIR_EXISTS), true)
> +common/Make.rules: $(COMMONDIR)/Make.rules
> + ln -sf $(COMMONDIR) .
> +endif
> +
> +all: apparmor.vim
> +
> +apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
> + python create-apparmor.vim.py > $@
>
> clean:
> rm -f apparmor.vim
> Index: b/utils/vim/create-apparmor.vim.py
> ===================================================================
> --- /dev/null
> +++ b/utils/vim/create-apparmor.vim.py
> @@ -0,0 +1,108 @@
> +#!/usr/bin/python
> +#
> +# Copyright (C) 2012 Canonical Ltd.
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# Written by Steve Beattie <st...@nxnw.org>, based on work by
> +# Christian Boltz <appar...@cboltz.de>
> +
> +import os
> +import re
> +import subprocess
> +import sys
> +
> +# dangerous capabilities
> +danger_caps=["audit_control",
> + "audit_write",
> + "mac_override",
> + "mac_admin",
> + "set_fcap",
> + "sys_admin",
> + "sys_module",
> + "sys_rawio"]
> +
> +aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
> +
> +aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)'
> +
> +def cmd(command, input = None, stderr = subprocess.STDOUT, stdout =
> subprocess.PIPE, stdin = None, timeout = None):
> + '''Try to execute given command (array) and return its stdout, or
> + return a textual error if it failed.'''
> +
> + try:
> + sp = subprocess.Popen(command, stdin=stdin, stdout=stdout,
> stderr=stderr, close_fds=True)
> + except OSError, e:
> + return [127, str(e)]
> +
> + out, outerr = sp.communicate(input)
> +
> + # Handle redirection of stdout
> + if out == None:
> + out = ''
> + # Handle redirection of stderr
> + if outerr == None:
> + outerr = ''
> + return [sp.returncode,out+outerr]
> +
> +# get capabilities list
> +(rc, output) = cmd(['make', '-s', '--no-print-directory',
> 'list_capabilities'])
> +if rc != 0:
> + print >>sys.stderr, ("make list_capabilities failed: " + output)
> + exit(rc)
> +
> +capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
> +benign_caps =[]
> +for cap in capabilities:
> + if cap not in danger_caps:
> + benign_caps.append(cap)
> +
> +# get network protos list
> +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
> +if rc != 0:
> + print >>sys.stderr, ("make list_af_names failed: " + output)
> + exit(rc)
> +
> +af_names = []
> +af_pairs = re.sub('AF_', '', output.strip()).lower().split(",")
> +for af_pair in af_pairs:
> + af_name = af_pair.lstrip().split(" ")[0]
> + # skip max af name definition
> + if len(af_name) > 0 and af_name != "max":
> + af_names.append(af_name)
> +
> +# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey,
> +# but not in aa_flags...
> +# -> currently (2011-01-11) not, but might come back
> +
> +aa_regex_map = {
> + 'FILE':
> r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+',
> + 'DENYFILE':
> r'\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+',
> + 'auditdenyowner': r'(audit\s+)?(deny\s+)?(owner\s+)?',
> + 'auditdeny': r'(audit\s+)?(deny\s+)?',
> + 'FILENAME': r'(\/|\@\{\S*\})\S*',
> + 'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)',
> + 'TRANSITION': r'(\s+-\>\s+\S+)?',
> + 'sdKapKey': " ".join(benign_caps),
> + 'sdKapKeyDanger': " ".join(danger_caps),
> + 'sdKapKeyRegex': "|".join(capabilities),
> + 'sdNetworkType': aa_network_types,
> + 'sdNetworkProto': "|".join(af_names),
> + 'flags': r'((flags\s*\=\s*)?\(\s*' + aa_flags + r'(\s*,\s*' +
> aa_flags + r')*\s*\)\s+)',
> +}
> +
> +def my_repl(matchobj):
> + #print matchobj.group(1)
> + if matchobj.group(1) in aa_regex_map:
> + return aa_regex_map[matchobj.group(1)]
> +
> + return matchobj.group(0)
> +
> +regex = "@@(" + "|".join(aa_regex_map) + ")@@"
> +
> +with file("apparmor.vim.in") as template:
> + for line in template:
> + line = re.sub(regex, my_repl, line.rstrip())
> + print line
>
>
> -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or
> unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
