Hello, this patch changes aa.py to use RlimitRule and RlimitRuleset instead of a sub-hasher to store and write rlimit rules. In detail: - drop all rlimit rule parsing from parse_profile_data() and serialize_profile_from_old_profile() - instead, just call RlimitRule.parse() - change write_rlimits() to use RlimitRuleset - add removal of superfluous/duplicate change_profile rules (the old code didn't do this) - update the comment about aa[profile][hat] usage - rlimit and change_profile are no longer dicts.
Also cleanup RE_PROFILE_RLIMIT in regex.py - the parenthesis around '<=' are no longer needed. Note: This patch is quite small because aa-logprof doesn't ask for rlimit rules. I tested all changes manually with aa-cleanprof and aa-logprof (adding some file rules, rlimit rules kept unchanged) [ 44-use-RlimitRule.diff ] === modified file utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-06-05 14:07:18.252686648 +0200 +++ utils/apparmor/aa.py 2015-06-05 14:40:18.998189733 +0200 @@ -41,7 +41,7 @@ flatten_mode, owner_flatten_mode) from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK, - RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT, + RE_PROFILE_ALIAS, RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL, RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN, RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY, @@ -56,6 +56,7 @@ from apparmor.rule.capability import CapabilityRuleset, CapabilityRule from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule from apparmor.rule.network import NetworkRuleset, NetworkRule +from apparmor.rule.rlimit import RlimitRuleset, RlimitRule from apparmor.rule import parse_modifiers, quote_if_needed from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast @@ -104,7 +105,7 @@ transitions = hasher() # keys used in aa[profile][hat]: -# a) rules (as dict): alias, change_profile, include, lvar, rlimit +# a) rules (as dict): alias, include, lvar # b) rules (as hasher): allow, deny # c) one for each rule class # d) other: declared, external, flags, name, profile, attachment, initial_comment, @@ -2069,6 +2070,7 @@ deleted += profile['network'].delete_duplicates(include[incname][incname]['network']) deleted += profile['capability'].delete_duplicates(include[incname][incname]['capability']) deleted += profile['change_profile'].delete_duplicates(include[incname][incname]['change_profile']) + deleted += profile['rlimit'].delete_duplicates(include[incname][incname]['rlimit']) deleted += delete_path_duplicates(profile, incname, 'allow') deleted += delete_path_duplicates(profile, incname, 'deny') @@ -2077,6 +2079,7 @@ deleted += profile['network'].delete_duplicates(filelist[incname][incname]['network']) deleted += profile['capability'].delete_duplicates(filelist[incname][incname]['capability']) deleted += profile['change_profile'].delete_duplicates(filelist[incname][incname]['change_profile']) + deleted += profile['rlimit'].delete_duplicates(filelist[incname][incname]['rlimit']) deleted += delete_path_duplicates(profile, incname, 'allow') deleted += delete_path_duplicates(profile, incname, 'deny') @@ -2597,6 +2600,7 @@ profile_data[profile][hat]['network'] = NetworkRuleset() profile_data[profile][hat]['change_profile'] = ChangeProfileRuleset() + profile_data[profile][hat]['rlimit'] = RlimitRuleset() profile_data[profile][hat]['allow']['path'] = hasher() profile_data[profile][hat]['allow']['dbus'] = list() profile_data[profile][hat]['allow']['mount'] = list() @@ -2688,16 +2692,15 @@ filelist[file] = hasher() filelist[file]['alias'][from_name] = to_name - elif RE_PROFILE_RLIMIT.search(line): - matches = RE_PROFILE_RLIMIT.search(line).groups() - + elif RlimitRule.match(line): if not profile: raise AppArmorException(_('Syntax Error: Unexpected rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 }) - from_name = matches[0] - to_name = matches[2] + # init rule class (if not done yet) + if not profile_data[profile][hat].get('rlimit', False): + profile_data[profile][hat]['rlimit'] = RlimitRuleset() - profile_data[profile][hat]['rlimit'][from_name] = to_name + profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line)) elif RE_PROFILE_BOOLEAN.search(line): matches = RE_PROFILE_BOOLEAN.search(line) @@ -3227,7 +3230,10 @@ return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ', ',', quote_if_needed) def write_rlimits(prof_data, depth): - return write_pair(prof_data, depth, '', 'rlimit', 'set rlimit ', ' <= ', ',', quote_if_needed) + data = [] + if prof_data.get('rlimit', False): + data = prof_data['rlimit'].get_clean(depth) + return data def var_transform(ref): data = [] @@ -3831,20 +3837,14 @@ #To-Do pass - elif RE_PROFILE_RLIMIT.search(line): - matches = RE_PROFILE_RLIMIT.search(line).groups() + elif RlimitRule.match(line): + rlimit_obj = RlimitRule.parse(line) - from_name = matches[0] - to_name = matches[2] - - if not write_prof_data[hat]['rlimit'][from_name] == to_name: - correct = False - - if correct: + if write_prof_data[hat]['rlimit'].is_covered(rlimit_obj, True, True): if not segments['rlimit'] and True in segments.values(): data += write_prior_segments(write_prof_data[name], segments, line) segments['rlimit'] = True - write_prof_data[hat]['rlimit'].pop(from_name) + write_prof_data[hat]['rlimit'].delete(rlimit_obj) data.append(line) else: #To-Do === modified file utils/apparmor/regex.py --- utils/apparmor/regex.py 2015-06-05 15:11:41.644540358 +0200 +++ utils/apparmor/regex.py 2015-06-05 15:18:22.489599340 +0200 @@ -33,7 +33,7 @@ RE_PROFILE_CAP = re.compile(RE_AUDIT_DENY + 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL) RE_PROFILE_LINK = re.compile(RE_AUDIT_DENY + 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + RE_COMMA_EOL) RE_PROFILE_ALIAS = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL) -RE_PROFILE_RLIMIT = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*(<=)\s*(?P<value>[^ ]+)' + RE_COMMA_EOL) +RE_PROFILE_RLIMIT = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*<=\s*(?P<value>[^ ]+)' + RE_COMMA_EOL) RE_PROFILE_BOOLEAN = re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL, flags=re.IGNORECASE) RE_PROFILE_VARIABLE = re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL) RE_PROFILE_CONDITIONAL = re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL) Regards, Christian Boltz -- [von KDE 3.0.0 auf 3.0.1 updaten] > Wenn KDE 3.0.0 noch immer startet wurde 3.0.1 nicht richtig > installiert würde ich mal behaupten :) newer version, bla bla. Aber eben nicht bei "base" naja. Ich habe nun gemerkt, daß es garnicht installiert wurde. [...] Ich DAKU (dümmster anzunehmender KDE Updater) [> Matthias Hentges und Stefan Onken in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor