Hello,
same as last time - see attached file ;-)
Regards,
Christian Boltz
--
who needs facts if polemics are that much easier to get into.
[Sven Burmeister in opensuse-factory]
=== modified file 'Testing/severity_test.py'
--- Testing/severity_test.py 2013-07-06 13:27:06 +0000
+++ Testing/severity_test.py 2013-07-08 22:16:26 +0000
@@ -6,7 +6,6 @@
import sys
import unittest
-sys.path.append('../')
sys.path.append('../apparmor')
### I'd expect to have '../apparmor' removed instead
### (and with the current code, "import apparmor.severity" fails ;-)
=== modified file 'apparmor/aa.py'
--- apparmor/aa.py 2013-07-06 13:27:06 +0000
+++ apparmor/aa.py 2013-07-08 22:16:26 +0000
@@ -393,6 +394,263 @@
+def create_new_profile(localfile):
+ local_profile = hasher()
+ local_profile[localfile]['flags'] = 'complain'
+ local_profile[localfile]['include']['abstractions/base'] = 1
+ #local_profile = {
+ # localfile: {
+ # 'flags': 'complain',
+ # 'include': {'abstraction/base': 1},
+ # 'allow': {'path': {}}
+ # }
+ # }
+ if os.path.isfile(localfile):
+ hashbang = head(localfile)
+ if hashbang.startswith('#!'):
+ interpreter = get_full_path(hashbang.lstrip('#!').strip())
+ try:
+ local_profile[localfile]['allow']['path'][localfile]['mode'] |= str_to_mode('r')
+ except TypeError:
+ local_profile[localfile]['allow']['path'][localfile]['mode'] = str_to_mode('r')
### you need this try/except lots of times.
### can you make it a function with a one-line call instead?
+ try:
+ local_profile[localfile]['allow']['path'][localfile]['audit'] |= 0
+ except TypeError:
+ local_profile[localfile]['allow']['path'][localfile]['audit'] = 0
+ try:
+ local_profile[localfile]['allow']['path'][interpreter]['mode'] |= str_to_mode('ix')
+ except TypeError:
+ local_profile[localfile]['allow']['path'][interpreter]['mode'] = str_to_mode('ix')
+ try:
+ local_profile[localfile]['allow']['path'][interpreter]['audit'] |= 0
+ except TypeError:
+ local_profile[localfile]['allow']['path'][interpreter]['audit'] = 0
+ if 'perl' in interpreter:
+ local_profile[localfile]['include']['abstractions/perl'] = 1
+ elif 'python' in interpreter:
+ local_profile[localfile]['include']['abstractions/python'] = 1
+ elif 'ruby' in interpreter:
+ local_profile[localfile]['include']['abstractions/ruby'] = 1
+ elif '/bin/bash' in interpreter or '/bin/dash' in interpreter or '/bin/sh' in interpreter:
+ local_profile[localfile]['include']['abstractions/ruby'] = 1
### this would be easier readable and easier to maintain if you make it an array like:
### interpreter['perl'] = 'abstractions/perl'
### interpreter['bash'] = 'abstractions/bash'
### interpreter['sh'] = 'abstractions/bash'
###
### besides that, checking the interpreter basename (path stripped off) feels better than using "... in interpreter"
### (even if this means we have to add "python3" explicitely)
+ handle_binfmt(local_profile[localfile], interpreter)
+ else:
+ try:
+ local_profile[localfile]['allow']['path'][localfile]['mode'] |= str_to_mode('mr')
+ except TypeError:
+ local_profile[localfile]['allow']['path'][localfile]['mode'] = str_to_mode('mr')
+ try:
+ local_profile[localfile]['allow']['path'][localfile]['audit'] |= 0
+ except TypeError:
+ local_profile[localfile]['allow']['path'][localfile] = 0
+ handle_binfmt(local_profile[localfile], localfile)
+ # Add required hats to the profile if they match the localfile
+ for hatglob in cfg['required_hats'].keys():
+ if re.search(hatglob, localfile):
+ for hat in sorted(cfg['required_hats'][hatglob].split()):
+ local_profile[hat]['flags'] = 'complain'
+
+ created.append(localfile)
+ if DEBUGGING:
+ debug_logger.debug("Profile for %s:\n\t%s" % (localfile, local_profile.__str__()))
### let debug_logger check DEBUGGING itsself - this will save you lots of "if DEBUGGING:" lines ;-)
+ return {localfile: local_profile}
+
+def delete_profile(local_prof):
+ """Deletes the specified file from the disk and remove it from our list"""
+ profile_file = get_profile_filename(local_prof)
+ if os.path.isfile(profile_file):
+ os.remove(profile_file)
+ if aa.get(local_prof, False):
+ aa.pop(local_prof)
### should delete_profile also unload the profile from the kernel?
+def set_profile_flags(prof_filename, newflags):
+ """Reads the old profile file and updates the flags accordingly"""
+ regex_bin_flag = re.compile('^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/')
+ regex_hat_flag = re.compile('^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$')
+ if os.path.isfile(prof_filename):
+ with open_file_read(prof_filename) as f_in:
+ with open_file_write(prof_filename + '.new') as f_out:
### using tempfile.NamedTemporaryFile would be better (if someone runs two instances of logprof at the same time)
### as in the config module, create the tempfile in the same directory
### the prefix should be prof_filename + .new
+ for line in f_in:
+ match = regex_bin_flag.search(line)
+ if match:
+ space, binary, flags = match.groups()
+ if newflags:
+ line = '%s%s flags=(%s) {\n' % (space, binary, newflags)
+ else:
+ line = '%s%s {\n' % (space, binary)
### does this keep inline comments? I doubt...
### example line: /bin/foo { # profile for foo
+ else:
+ match = regex_hat_flag.search(line)
+ if match:
+ hat, flags = match.groups()
+ if newflags:
+ line = '%s flags=(%s) {\n' % (hat, newflags)
+ else:
+ line = '%s {\n' % hat
### same here - looks like inline comments are dropped
+ f_out.write(line)
+ os.rename(prof_filename+'.new', prof_filename)
### follow-up: the rename needs to use the tempfile name I proposed above
=== modified file 'apparmor/common.py'
--- apparmor/common.py 2013-07-03 23:34:04 +0000
+++ apparmor/common.py 2013-07-08 22:16:26 +0000
@@ -18,6 +19,7 @@
self.value = value
def __str__(self):
+ return self.value
return repr(self.value)
### "return repr..." is unused - maybe clearly mark it as a comment
vim:ft=diff
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
