Hello, Am Donnerstag, 14. Mai 2015 schrieb Christian Boltz: > [ 06-mergeprof-capability-rule.diff ]
Here's an updated patch with two small changes: - update comment about the other.aa[profile][hat].get('capability') check - if it's needed for network rules, then it's probably also needed for capability rules ;-) - use is_known_rule() instead of is_covered() so that include files are also checked [ 06-mergeprof-capability-rule.diff ] === modified file utils/aa-mergeprof --- utils/aa-mergeprof 2015-05-17 19:16:48.381652462 +0200 +++ utils/aa-mergeprof 2015-05-17 19:18:53.885346883 +0200 @@ -309,32 +309,51 @@ return #Add the capabilities - for allow in ['allow', 'deny']: - if other.aa[profile][hat].get(allow, False): - continue - for capability in sorted(other.aa[profile][hat][allow]['capability'].keys()): - severity = sev_db.rank('CAP_%s' % capability) + if other.aa[profile][hat].get('capability', False): # needed until we have proper profile initialization + for cap_obj in other.aa[profile][hat]['capability'].rules: + + if apparmor.aa.is_known_rule(self.user.aa[profile][hat], 'capability', cap_obj): + continue + + if cap_obj.all_caps: + severity = 10 + cap_txt = 'ALL' + else: + cap_txt = ' '.join(cap_obj.capability) + severity = 0 + for cap in cap_obj.capability: + severity = max(severity, sev_db.rank('CAP_%s' % cap)) + + if cap_obj.deny: + cap_txt = 'deny %s' % cap_txt + + if cap_obj.audit: + cap_txt = 'audit %s' % cap_txt + default_option = 1 options = [] - newincludes = apparmor.aa.match_cap_includes(self.user.aa[profile][hat], capability) + newincludes = apparmor.aa.match_includes(self.user.aa[profile][hat], 'capability', cap_obj) q = aaui.PromptQuestion() if newincludes: options += list(map(lambda inc: '#include <%s>' %inc, sorted(set(newincludes)))) if options: - options.append('capability %s' % capability) + options.append(cap_obj.get_clean()) q.options = options q.selected = default_option - 1 q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)] - q.headers += [_('Capability'), capability] + q.headers += [_('Capability'), cap_txt] q.headers += [_('Severity'), severity] audit_toggle = 0 - q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED'] + q.functions = [] + if not cap_obj.deny: + q.functions += ['CMD_ALLOW'] + q.functions += ['CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED'] - q.default = 'CMD_ALLOW' + q.default = q.functions[0] done = False while not done: @@ -362,19 +381,20 @@ if deleted: aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) - self.user.aa[profile][hat]['allow']['capability'][capability]['set'] = True - self.user.aa[profile][hat]['allow']['capability'][capability]['audit'] = other.aa[profile][hat]['allow']['capability'][capability]['audit'] + self.user.aa[profile][hat]['capability'].add(cap_obj) apparmor.aa.changed[profile] = True - aaui.UI_Info(_('Adding capability %s to profile.'), capability) + aaui.UI_Info(_('Adding %s to profile.') % cap_obj.get_clean()) done = True elif ans == 'CMD_DENY': - self.user.aa[profile][hat]['deny']['capability'][capability]['set'] = True + cap_obj.deny = True + cap_obj.raw_rule = None # reset raw rule after manually modifying cap_obj + self.user.aa[profile][hat]['capability'].add(cap_obj) apparmor.aa.changed[profile] = True - aaui.UI_Info(_('Denying capability %s to profile.') % capability) + aaui.UI_Info(_('Adding %s to profile.') % cap_obj.get_clean()) done = True else: done = False === modified file utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-05-17 19:16:48.384652288 +0200 +++ utils/apparmor/aa.py 2015-05-14 01:51:45.582085900 +0200 @@ -2154,11 +2154,6 @@ return match_includes(incname, 'network', network_obj) -def match_cap_includes(profile, capability): - # still used by aa-mergeprof - capability_obj = CapabilityRule(capability) - return match_includes(profile, 'capability', capability_obj) - def match_includes(profile, rule_type, rule_obj): newincludes = [] for incname in include.keys(): Regards, Christian Boltz -- > > Ein einziges Wort: Gentoo. > NEEEEEIIIIIINNNNNNNNNN *duck_und_wegrenn* Psssssssssssst. Ich sagte doch nur "ein Wort". ;-) [> Bernhard Walle und Tobias Weisserth in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor