Hello, Am Sonntag, 17. Mai 2015 schrieb Christian Boltz: > I tested all changes manually.
... and another test with a different profile resulted in a crash because other.aa[profile][hat]['network'] wasn't initialized :-( Here's the updated patch that - adds a check for that - moves around the remaining "if 1 == 1: # avoid whitespace change" - moves setting q.functions outside the if block and de-duplicates it [ 08-mergeprof-network-rule.diff ] === modified file utils/aa-mergeprof --- utils/aa-mergeprof 2015-05-17 18:54:52.750566063 +0200 +++ utils/aa-mergeprof 2015-05-17 19:07:35.296852571 +0200 @@ -714,37 +715,45 @@ elif re.search('\d', ans): default_option = ans - # - for allow in ['allow', 'deny']: - for family in sorted(other.aa[profile][hat][allow]['netdomain']['rule'].keys()): - # severity handling for net toggles goes here + if 1 == 1: # avoid whitespace change + if other.aa[profile][hat].get('network', False): # needed until we have proper profile initialization + for net_obj in other.aa[profile][hat]['network'].rules: + # severity handling for net toggles goes here + + if apparmor.aa.is_known_rule(self.user.aa[profile][hat], 'network', net_obj): + continue - for sock_type in sorted(other.aa[profile][hat][allow]['netdomain']['rule'][family].keys()): - #if apparmor.aa.profile_known_network(self.user.aa[profile][hat], family, sock_type): - # continue - # disabled for now because it crashes, for details and impact see - # https://bugs.launchpad.net/apparmor/+bug/1382241 + if net_obj.all_domains: + family = 'ALL' + else: + family = net_obj.domain + + if net_obj.all_type_or_protocols: + sock_type = 'ALL' + else: + sock_type = net_obj.type_or_protocol default_option = 1 options = [] - newincludes = apparmor.aa.match_net_includes(self.user.aa[profile][hat], family, sock_type) + newincludes = apparmor.aa.match_includes(self.user.aa[profile][hat], 'network', net_obj) q = aaui.PromptQuestion() if newincludes: options += list(map(lambda s: '#include <%s>'%s, sorted(set(newincludes)))) if True:#options: - options.append('network %s %s' % (family, sock_type)) + options.append(net_obj.get_clean()) q.options = options q.selected = default_option - 1 + audit = '' + if net_obj.audit: + audit = 'audit ' + q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)] - q.headers += [_('Network Family'), family] + q.headers += [_('Network Family'), audit + family] q.headers += [_('Socket Type'), sock_type] - audit_toggle = 0 - q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW', - 'CMD_ABORT', 'CMD_FINISHED'] - - q.default = 'CMD_ALLOW' + q.functions = available_buttons(net_obj) + q.default = q.functions[0] done = False while not done: @@ -757,15 +766,19 @@ return if ans.startswith('CMD_AUDIT'): - audit_toggle = not audit_toggle - audit = '' - if audit_toggle: - audit = 'audit' - q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF', - 'CMD_ABORT', 'CMD_FINISHED'] + if ans == 'CMD_AUDIT_NEW': + net_obj.audit = True + net_obj.raw_rule = None + audit = 'audit ' else: - q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW', - 'CMD_ABORT', 'CMD_FINISHED'] + net_obj.audit = False + net_obj.raw_rule = None + audit = '' + + q.functions = available_buttons(net_obj) + options[len(options) - 1] = net_obj.get_clean() + q.options = options + q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)] q.headers += [_('Network Family'), audit + family] q.headers += [_('Socket Type'), sock_type] @@ -788,8 +801,7 @@ aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) else: - self.user.aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle - self.user.aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True + self.user.aa[profile][hat]['network'].add(net_obj) apparmor.aa.changed[profile] = True @@ -797,12 +809,32 @@ elif ans == 'CMD_DENY': done = True - self.user.aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True + net_obj.deny = True + net_obj.raw_rule = None + self.user.aa[profile][hat]['network'].add(net_obj) apparmor.aa.changed[profile] = True aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type }) else: done = False + +def available_buttons(rule_obj): + buttons = [] + + if not rule_obj.deny: + buttons += ['CMD_ALLOW'] + + buttons += ['CMD_DENY', 'CMD_IGNORE_ENTRY'] + + if rule_obj.audit: + buttons += ['CMD_AUDIT_OFF'] + else: + buttons += ['CMD_AUDIT_NEW'] + + buttons += ['CMD_ABORT', 'CMD_FINISHED'] + + return buttons + if __name__ == '__main__': main() Regards, Christian Boltz -- Naja, wer in der bekannten närrischen Zeit an jemanden in einer der Karnevalsgegenden mailt, muß damit rechnen, daß seine Mail kaum vor Freitag beantwortet wird. Vorher sind die Leute da kaum wieder nüchtern und ansprechbar. ;)) [Martin Falley in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor