[apparmor] [patch] Improve validate_profile_mode() and drop PROFILE_MODE_NT_RE

Sun, 05 Jul 2015 06:54:06 -0700 

Hello,

the only difference between PROFILE_MODE_RE and PROFILE_MODE_NT_RE 
was that the latter one additionally allowed 'x', which looks wrong.
(Standalone 'x' is ok for deny rules, but those are handled by
PROFILE_MODE_DENY_RE.)

This patch completely drops PROFILE_MODE_NT_RE and the related code in
validate_profile_mode().

Also wrap the two remaining regexes in '^(...)+$' instead of doing it
inside validate_profile_mode(). This makes the code more readable and
also results in a 2% performance improvement when parsing profiles.


I propose this patch for trunk and 2.9, even if it's not as important
for 2.9 as the previous patch.


Fun fact: this was introduced by John in SubDomain.pm r1097 with the
"helpful" commit message "Add new exec modes and many bug fixes" which
described a 634 insertions(+), 226 deletions(-) commit.


[ 64-improve-validate-profile-mode.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-07-05 15:21:55.663027403 +0200
+++ utils/apparmor/aa.py        2015-07-05 15:33:14.837384490 +0200
@@ -2422,28 +2422,18 @@
                         if not is_known_rule(aa[profile][hat], 'network', 
NetworkRule(family, sock_type)):
                             
log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
 
-PROFILE_MODE_RE = 
re.compile('r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix')
-PROFILE_MODE_NT_RE = 
re.compile('r|w|l|m|k|a|x|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix')
-PROFILE_MODE_DENY_RE = re.compile('r|w|l|m|k|a|x')
+PROFILE_MODE_RE      = 
re.compile('^(r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix)+$')
+PROFILE_MODE_DENY_RE = re.compile('^(r|w|l|m|k|a|x)+$')
 
 def validate_profile_mode(mode, allow, nt_name=None):
     if allow == 'deny':
-        pattern = '^(%s)+$' % PROFILE_MODE_DENY_RE.pattern
-        if re.search(pattern, mode):
-            return True
-        else:
-            return False
-
-    elif nt_name:
-        pattern = '^(%s)+$' % PROFILE_MODE_NT_RE.pattern
-        if re.search(pattern, mode):
+        if PROFILE_MODE_DENY_RE.search(mode):
             return True
         else:
             return False
 
     else:
-        pattern = '^(%s)+$' % PROFILE_MODE_RE.pattern
-        if re.search(pattern, mode):
+        if PROFILE_MODE_RE.search(mode):
             return True
         else:
             return False




Regards,

Christian Boltz
-- 
Auch wenn da nix sein KANN und Du lieber neue Parameter einbaust. Tust
Du MIR bitte mal den Gefallen und liest Du wenigstens EINMAL Deine
main.cf auf komische Umbrüche und Einträge hin durch? Nur mir zuliebe,
bitte. Ich weiß, ist natürlich Unsinn. Machst Du es trotzdem?
[Peer Heinlein in postfixbuch-users]


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to