Hello, having a list of rule types/classes at several places is annoying and error-prone. This patch centralizes the list in aa.py.
This also means ask_the_question() in aa.py will now (in theory) support 'change_profile' and 'rlimit'. In practise, that doesn't change anything because logparser.py doesn't support change_profile events yet - and rlimit doesn't cause any log events. Also add some long overdue copyright headers. [ 24-centralize-ruletypes.diff ] === modified file ./utils/aa-mergeprof --- utils/aa-mergeprof 2015-11-19 17:42:26.317879173 +0100 +++ utils/aa-mergeprof 2015-12-02 22:37:23.198671126 +0100 @@ -1,6 +1,7 @@ #! /usr/bin/env python # ---------------------------------------------------------------------- # Copyright (C) 2013 Kshitij Gupta <[email protected]> +# Copyright (C) 2014-2015 Christian Boltz <[email protected]> # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -631,7 +632,7 @@ elif re.search('\d', ans): default_option = ans - for ruletype in ['capability', 'change_profile', 'network', 'rlimit', 'signal']: + for ruletype in apparmor.aa.ruletypes: if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization for rule_obj in other.aa[profile][hat][ruletype].rules: === modified file ./utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-11-29 21:05:50.338348194 +0100 +++ utils/apparmor/aa.py 2015-12-02 22:29:55.825439595 +0100 @@ -61,6 +61,8 @@ from apparmor.rule.signal import SignalRuleset, SignalRule from apparmor.rule import parse_modifiers, quote_if_needed +ruletypes = ['capability', 'change_profile', 'network', 'rlimit', 'signal'] + from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast # setup module translations @@ -1677,7 +1679,7 @@ signal_obj = SignalRule(access, signal, peer, log_event=aamode) log_obj[profile][hat]['signal'].add(signal_obj) - for ruletype in ['capability', 'network', 'signal']: + for ruletype in ruletypes: # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync! for rule_obj in log_obj[profile][hat][ruletype].rules: @@ -2161,8 +2163,6 @@ # Allow rules covered by denied rules shouldn't be deleted # only a subset allow rules may actually be denied - ruletypes = ['capability', 'change_profile', 'network', 'rlimit', 'signal'] - if include.get(incname, False): for rule_type in ruletypes: deleted += profile[rule_type].delete_duplicates(include[incname][incname][rule_type]) === modified file ./utils/apparmor/cleanprofile.py --- utils/apparmor/cleanprofile.py 2015-11-19 17:42:26.317879173 +0100 +++ utils/apparmor/cleanprofile.py 2015-12-02 22:37:19.298695423 +0100 @@ -1,5 +1,6 @@ # ---------------------------------------------------------------------- # Copyright (C) 2013 Kshitij Gupta <[email protected]> +# Copyright (C) 2014-2015 Christian Boltz <[email protected]> # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -64,7 +65,7 @@ deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc) #Clean duplicate rules in other profile - for ruletype in ['capability', 'change_profile', 'network', 'rlimit', 'signal']: + for ruletype in apparmor.ruletypes: if not self.same_file: deleted += self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype]) else: Regards, Christian Boltz -- [BILD] Als langjährig tätiger Strafverteidiger (und Fan von Volker Pispers) muß ich jedoch dringend davor warnen, stinkende tote Fische in dieses Freiexemplar der sogenannten "Zeitung" einzuwickeln. Weil das ein Strafverfahren wegen Beleidigung zulasten des Fisches nach sich ziehen könnte. [http://www.kanzlei-hoenig.de/2012/keine-stinkende-tote-fische-im-briefkasten/] -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
