Hello, the only difference between PROFILE_MODE_RE and PROFILE_MODE_NT_RE was that the latter one additionally allowed 'x', which looks wrong. (Standalone 'x' is ok for deny rules, but those are handled by PROFILE_MODE_DENY_RE.)
This patch completely drops PROFILE_MODE_NT_RE and the related code in validate_profile_mode(). Also wrap the two remaining regexes in '^(...)+$' instead of doing it inside validate_profile_mode(). This makes the code more readable and also results in a 2% performance improvement when parsing profiles. I propose this patch for trunk and 2.9, even if it's not as important for 2.9 as the previous patch. Fun fact: this was introduced by John in SubDomain.pm r1097 with the "helpful" commit message "Add new exec modes and many bug fixes" which described a 634 insertions(+), 226 deletions(-) commit. [ 64-improve-validate-profile-mode.diff ] === modified file utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-07-05 15:21:55.663027403 +0200 +++ utils/apparmor/aa.py 2015-07-05 15:33:14.837384490 +0200 @@ -2422,28 +2422,18 @@ if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)): log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True -PROFILE_MODE_RE = re.compile('r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix') -PROFILE_MODE_NT_RE = re.compile('r|w|l|m|k|a|x|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix') -PROFILE_MODE_DENY_RE = re.compile('r|w|l|m|k|a|x') +PROFILE_MODE_RE = re.compile('^(r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix)+$') +PROFILE_MODE_DENY_RE = re.compile('^(r|w|l|m|k|a|x)+$') def validate_profile_mode(mode, allow, nt_name=None): if allow == 'deny': - pattern = '^(%s)+$' % PROFILE_MODE_DENY_RE.pattern - if re.search(pattern, mode): - return True - else: - return False - - elif nt_name: - pattern = '^(%s)+$' % PROFILE_MODE_NT_RE.pattern - if re.search(pattern, mode): + if PROFILE_MODE_DENY_RE.search(mode): return True else: return False else: - pattern = '^(%s)+$' % PROFILE_MODE_RE.pattern - if re.search(pattern, mode): + if PROFILE_MODE_RE.search(mode): return True else: return False Regards, Christian Boltz -- Auch wenn da nix sein KANN und Du lieber neue Parameter einbaust. Tust Du MIR bitte mal den Gefallen und liest Du wenigstens EINMAL Deine main.cf auf komische Umbrüche und Einträge hin durch? Nur mir zuliebe, bitte. Ich weiß, ist natürlich Unsinn. Machst Du es trotzdem? [Peer Heinlein in postfixbuch-users] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor