mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-02-14 14:15:11 +01:00
polishing
This commit is contained in:
nobody43
GitHub
parent
46c5381cd0
commit
59d7980478
1 changed files with 16 additions and 14 deletions
|
|
@ -49,9 +49,11 @@ def handleFileMessages(l, file, profile, lineNum):
|
||||||
# '',
|
# '',
|
||||||
)
|
)
|
||||||
suggestOwner = ( # TODO: switch to AARE
|
suggestOwner = ( # TODO: switch to AARE
|
||||||
r'^@{HOME}',
|
r'^@{HOME}/',
|
||||||
r'^/home/\w+/',
|
r'^/home/\w+/',
|
||||||
|
r'^@{run}/user/@{uid}/',
|
||||||
r'^/run/user/\d+/',
|
r'^/run/user/\d+/',
|
||||||
|
r'^@{tmp}/',
|
||||||
r'^/tmp/',
|
r'^/tmp/',
|
||||||
r'^/var/tmp/',
|
r'^/var/tmp/',
|
||||||
r'^/dev/shm/',
|
r'^/dev/shm/',
|
||||||
|
|
@ -60,7 +62,7 @@ def handleFileMessages(l, file, profile, lineNum):
|
||||||
lG = l.groupdict()
|
lG = l.groupdict()
|
||||||
reason_ = None
|
reason_ = None
|
||||||
if lG.get('path'):
|
if lG.get('path'):
|
||||||
if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles:
|
if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives
|
||||||
severity_ = 'ERROR'
|
severity_ = 'ERROR'
|
||||||
reason_ = 'Whole filesystem access is too broad'
|
reason_ = 'Whole filesystem access is too broad'
|
||||||
suggestion_ = None
|
suggestion_ = None
|
||||||
|
|
@ -84,12 +86,12 @@ def handleFileMessages(l, file, profile, lineNum):
|
||||||
suggestion_ = None
|
suggestion_ = None
|
||||||
|
|
||||||
if reason_: # something matched
|
if reason_: # something matched
|
||||||
msg = ({'filename': file,
|
msg = {'filename': file,
|
||||||
'profile': profile,
|
'profile': profile,
|
||||||
'severity': severity_,
|
'severity': severity_,
|
||||||
'line': lineNum,
|
'line': lineNum,
|
||||||
'reason': reason_,
|
'reason': reason_,
|
||||||
'suggestion': suggestion_})
|
'suggestion': suggestion_}
|
||||||
else:
|
else:
|
||||||
msg = None
|
msg = None
|
||||||
|
|
||||||
|
|
@ -98,7 +100,7 @@ def handleFileMessages(l, file, profile, lineNum):
|
||||||
def readApparmorFile(fullpath):
|
def readApparmorFile(fullpath):
|
||||||
'''AA file could contain multiple AA profiles'''
|
'''AA file could contain multiple AA profiles'''
|
||||||
headers = (
|
headers = (
|
||||||
'# AppArmor.d - Full set of apparmor profiles',
|
'# apparmor.d - Full set of apparmor profiles',
|
||||||
'# Copyright (C) ',
|
'# Copyright (C) ',
|
||||||
'# SPDX-License-Identifier: GPL-2.0-only',
|
'# SPDX-License-Identifier: GPL-2.0-only',
|
||||||
)
|
)
|
||||||
|
|
@ -130,13 +132,13 @@ def readApparmorFile(fullpath):
|
||||||
|
|
||||||
if indent != expectedIndent:
|
if indent != expectedIndent:
|
||||||
spacesCount = len(nestingStacker) * 2
|
spacesCount = len(nestingStacker) * 2
|
||||||
nesingCount = len(nestingStacker)
|
nestingCount = len(nestingStacker)
|
||||||
messages.append({'filename': fullpath,
|
messages.append({'filename': fullpath,
|
||||||
'profile': getCurrentProfile(nestingStacker),
|
'profile': getCurrentProfile(nestingStacker),
|
||||||
'severity': 'WARNING',
|
'severity': 'WARNING',
|
||||||
'line': n,
|
'line': n,
|
||||||
'reason': f"Expected {spacesCount} spaces for {nesingCount} nesting",
|
'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting",
|
||||||
'suggestion': f"{expectedIndent}{line}"})
|
'suggestion': f"{expectedIndent}{line.lstrip()}"})
|
||||||
|
|
||||||
if line.endswith(' \n'):
|
if line.endswith(' \n'):
|
||||||
messages.append({'filename': fullpath,
|
messages.append({'filename': fullpath,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue