On 03/22/2012 10:06 AM, Steve Beattie wrote: > This patch replaces the apparmor.vim generating script with a python > version that eliminates the need for using the replace tool from the > mysql-server package. It makes use of the automatically generated > lists of capabilities and network protocols provided by the build > infrastructure. I did not capture all the notes and TODOs that > Christian had in the shell script; I can do so if desired. > > It also hooks the generation of the apparmor.vim file into the utils/ > build and clean stages. > > [Note: the patch doesn't reflect the deletion of the script or the > apparmor.vim file in the utils/ directory as handling deletions in > quilt is problematic. But it's intended that the actual commits into > bzr will also remove these files.] > So I am good with this (tentative Ack) but I want to hear from Christian first.
> --- > utils/Makefile | 2 > utils/vim/Makefile | 17 +++++- > utils/vim/create-apparmor.vim.py | 108 > +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 125 insertions(+), 2 deletions(-) > > Index: b/utils/Makefile > =================================================================== > --- a/utils/Makefile > +++ b/utils/Makefile > @@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5 > > all: ${MANPAGES} ${HTMLMANPAGES} > $(MAKE) -C po all > + $(MAKE) -C vim all > > # need some better way of determining this > DESTDIR=/ > @@ -67,6 +68,7 @@ clean: _clean > rm -f core core.* *.o *.s *.a *~ > rm -f Make.rules > $(MAKE) -C po clean > + $(MAKE) -C vim clean > > # ${CAPABILITIES} is defined in common/Make.rules > .PHONY: check_severity_db > Index: b/utils/vim/Makefile > =================================================================== > --- a/utils/vim/Makefile > +++ b/utils/vim/Makefile > @@ -1,5 +1,18 @@ > -apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh > - sh create-apparmor.vim.sh > +COMMONDIR=../../common/ > + > +all: > +include common/Make.rules > + > +COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true)) > +ifeq ($(COMMONDIR_EXISTS), true) > +common/Make.rules: $(COMMONDIR)/Make.rules > + ln -sf $(COMMONDIR) . > +endif > + > +all: apparmor.vim > + > +apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py > + python create-apparmor.vim.py > $@ > > clean: > rm -f apparmor.vim > Index: b/utils/vim/create-apparmor.vim.py > =================================================================== > --- /dev/null > +++ b/utils/vim/create-apparmor.vim.py > @@ -0,0 +1,108 @@ > +#!/usr/bin/python > +# > +# Copyright (C) 2012 Canonical Ltd. > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# Written by Steve Beattie <st...@nxnw.org>, based on work by > +# Christian Boltz <appar...@cboltz.de> > + > +import os > +import re > +import subprocess > +import sys > + > +# dangerous capabilities > +danger_caps=["audit_control", > + "audit_write", > + "mac_override", > + "mac_admin", > + "set_fcap", > + "sys_admin", > + "sys_module", > + "sys_rawio"] > + > +aa_network_types=r'\s+tcp|\s+udp|\s+icmp' > + > +aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)' > + > +def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = > subprocess.PIPE, stdin = None, timeout = None): > + '''Try to execute given command (array) and return its stdout, or > + return a textual error if it failed.''' > + > + try: > + sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, > stderr=stderr, close_fds=True) > + except OSError, e: > + return [127, str(e)] > + > + out, outerr = sp.communicate(input) > + > + # Handle redirection of stdout > + if out == None: > + out = '' > + # Handle redirection of stderr > + if outerr == None: > + outerr = '' > + return [sp.returncode,out+outerr] > + > +# get capabilities list > +(rc, output) = cmd(['make', '-s', '--no-print-directory', > 'list_capabilities']) > +if rc != 0: > + print >>sys.stderr, ("make list_capabilities failed: " + output) > + exit(rc) > + > +capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ") > +benign_caps =[] > +for cap in capabilities: > + if cap not in danger_caps: > + benign_caps.append(cap) > + > +# get network protos list > +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) > +if rc != 0: > + print >>sys.stderr, ("make list_af_names failed: " + output) > + exit(rc) > + > +af_names = [] > +af_pairs = re.sub('AF_', '', output.strip()).lower().split(",") > +for af_pair in af_pairs: > + af_name = af_pair.lstrip().split(" ")[0] > + # skip max af name definition > + if len(af_name) > 0 and af_name != "max": > + af_names.append(af_name) > + > +# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey, > +# but not in aa_flags... > +# -> currently (2011-01-11) not, but might come back > + > +aa_regex_map = { > + 'FILE': > r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+', > + 'DENYFILE': > r'\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+', > + 'auditdenyowner': r'(audit\s+)?(deny\s+)?(owner\s+)?', > + 'auditdeny': r'(audit\s+)?(deny\s+)?', > + 'FILENAME': r'(\/|\@\{\S*\})\S*', > + 'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', > + 'TRANSITION': r'(\s+-\>\s+\S+)?', > + 'sdKapKey': " ".join(benign_caps), > + 'sdKapKeyDanger': " ".join(danger_caps), > + 'sdKapKeyRegex': "|".join(capabilities), > + 'sdNetworkType': aa_network_types, > + 'sdNetworkProto': "|".join(af_names), > + 'flags': r'((flags\s*\=\s*)?\(\s*' + aa_flags + r'(\s*,\s*' + > aa_flags + r')*\s*\)\s+)', > +} > + > +def my_repl(matchobj): > + #print matchobj.group(1) > + if matchobj.group(1) in aa_regex_map: > + return aa_regex_map[matchobj.group(1)] > + > + return matchobj.group(0) > + > +regex = "@@(" + "|".join(aa_regex_map) + ")@@" > + > +with file("apparmor.vim.in") as template: > + for line in template: > + line = re.sub(regex, my_repl, line.rstrip()) > + print line > > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or > unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor