mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
utils: address pep8 complaints
This patch eliminates the complaints from running: pep8 --ignore=E501 aa-easyprof vim/ (E501 is 'line too long', which I'm not too chuffed about.) Mostly, it's a lot of whitespace touchups, with a few conversions from '==' to 'is'. Commit includes applied feedback from cboltz. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
This commit is contained in:
Steve Beattie
parent
f6af922088
commit
b3c9d8b86b
2 changed files with 62 additions and 62 deletions
|
|
@ -55,11 +55,10 @@ if __name__ == "__main__":
|
|||
files = [os.path.join(easyp.dirs['policygroups'], g)]
|
||||
apparmor.easyprof.print_files(files)
|
||||
sys.exit(0)
|
||||
elif binary == None:
|
||||
elif binary is None:
|
||||
error("Must specify full path to binary\n%s" % m)
|
||||
|
||||
# if we made it here, generate a profile
|
||||
params = apparmor.easyprof.gen_policy_params(binary, opt)
|
||||
p = easyp.gen_policy(**params)
|
||||
sys.stdout.write('%s\n' % p)
|
||||
|
||||
|
|
|
|||
|
|
@ -15,16 +15,17 @@ import subprocess
|
|||
import sys
|
||||
|
||||
# dangerous capabilities
|
||||
danger_caps=["audit_control",
|
||||
"audit_write",
|
||||
"mac_override",
|
||||
"mac_admin",
|
||||
"set_fcap",
|
||||
"sys_admin",
|
||||
"sys_module",
|
||||
"sys_rawio"]
|
||||
danger_caps = ["audit_control",
|
||||
"audit_write",
|
||||
"mac_override",
|
||||
"mac_admin",
|
||||
"set_fcap",
|
||||
"sys_admin",
|
||||
"sys_module",
|
||||
"sys_rawio"]
|
||||
|
||||
def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
|
||||
|
||||
def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, stdin=None, timeout=None):
|
||||
'''Try to execute given command (array) and return its stdout, or
|
||||
return a textual error if it failed.'''
|
||||
|
||||
|
|
@ -36,12 +37,12 @@ def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.P
|
|||
out, outerr = sp.communicate(input)
|
||||
|
||||
# Handle redirection of stdout
|
||||
if out == None:
|
||||
if out is None:
|
||||
out = ''
|
||||
# Handle redirection of stderr
|
||||
if outerr == None:
|
||||
if outerr is None:
|
||||
outerr = ''
|
||||
return [sp.returncode,out+outerr]
|
||||
return [sp.returncode, out + outerr]
|
||||
|
||||
# get capabilities list
|
||||
(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
|
||||
|
|
@ -50,7 +51,7 @@ if rc != 0:
|
|||
exit(rc)
|
||||
|
||||
capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
|
||||
benign_caps =[]
|
||||
benign_caps = []
|
||||
for cap in capabilities:
|
||||
if cap not in danger_caps:
|
||||
benign_caps.append(cap)
|
||||
|
|
@ -73,28 +74,28 @@ for af_pair in af_pairs:
|
|||
# but not in aa_flags...
|
||||
# -> currently (2011-01-11) not, but might come back
|
||||
|
||||
aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
|
||||
aa_network_types = r'\s+tcp|\s+udp|\s+icmp'
|
||||
|
||||
aa_flags=['complain',
|
||||
'audit',
|
||||
'attach_disconnect',
|
||||
'no_attach_disconnected',
|
||||
'chroot_attach',
|
||||
'chroot_no_attach',
|
||||
'chroot_relative',
|
||||
'namespace_relative']
|
||||
aa_flags = ['complain',
|
||||
'audit',
|
||||
'attach_disconnect',
|
||||
'no_attach_disconnected',
|
||||
'chroot_attach',
|
||||
'chroot_no_attach',
|
||||
'chroot_relative',
|
||||
'namespace_relative']
|
||||
|
||||
filename=r'(\/|\@\{\S*\})\S*'
|
||||
filename = r'(\/|\@\{\S*\})\S*'
|
||||
|
||||
aa_regex_map = {
|
||||
'FILENAME': filename,
|
||||
'FILE': r'\v^\s*(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
|
||||
'FILE': r'\v^\s*(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
|
||||
# (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
|
||||
'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE
|
||||
'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE
|
||||
'auditdenyowner': r'(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?',
|
||||
'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner
|
||||
'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner
|
||||
'auditdeny': r'(audit\s+)?(deny\s+|allow\s+)?',
|
||||
'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
|
||||
'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
|
||||
'TRANSITION': r'(\s+-\>\s+\S+)?',
|
||||
'sdKapKey': " ".join(benign_caps),
|
||||
'sdKapKeyDanger': " ".join(danger_caps),
|
||||
|
|
@ -104,6 +105,7 @@ aa_regex_map = {
|
|||
'flags': r'((flags\s*\=\s*)?\(\s*(' + '|'.join(aa_flags) + r')(\s*,\s*(' + '|'.join(aa_flags) + r'))*\s*\)\s+)',
|
||||
}
|
||||
|
||||
|
||||
def my_repl(matchobj):
|
||||
matchobj.group(1)
|
||||
if matchobj.group(1) in aa_regex_map:
|
||||
|
|
@ -112,48 +114,48 @@ def my_repl(matchobj):
|
|||
return matchobj.group(0)
|
||||
|
||||
|
||||
def create_file_rule (highlighting, permissions, comment, denyrule = 0):
|
||||
def create_file_rule(highlighting, permissions, comment, denyrule=0):
|
||||
|
||||
if denyrule == 0:
|
||||
keywords = '@@auditdenyowner@@'
|
||||
else:
|
||||
keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?'
|
||||
if denyrule == 0:
|
||||
keywords = '@@auditdenyowner@@'
|
||||
else:
|
||||
keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?'
|
||||
|
||||
sniplet = ''
|
||||
sniplet = sniplet + "\n" + '" ' + comment + "\n"
|
||||
sniplet = ''
|
||||
sniplet = sniplet + "\n" + '" ' + comment + "\n"
|
||||
|
||||
prefix = r'syn match ' + highlighting + r' /\v^\s*' + keywords
|
||||
suffix = r'@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' + "\n"
|
||||
# filename without quotes
|
||||
sniplet = sniplet + prefix + r'@@FILENAME@@\s+' + permissions + suffix
|
||||
# filename with quotes
|
||||
sniplet = sniplet + prefix + r'"@@FILENAME@@"\s+' + permissions + suffix
|
||||
# filename without quotes, reverse syntax
|
||||
sniplet = sniplet + prefix + permissions + r'\s+@@FILENAME@@' + suffix
|
||||
# filename with quotes, reverse syntax
|
||||
sniplet = sniplet + prefix + permissions + r'\s+"@@FILENAME@@"+' + suffix
|
||||
prefix = r'syn match ' + highlighting + r' /\v^\s*' + keywords
|
||||
suffix = r'@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' + "\n"
|
||||
# filename without quotes
|
||||
sniplet = sniplet + prefix + r'@@FILENAME@@\s+' + permissions + suffix
|
||||
# filename with quotes
|
||||
sniplet = sniplet + prefix + r'"@@FILENAME@@"\s+' + permissions + suffix
|
||||
# filename without quotes, reverse syntax
|
||||
sniplet = sniplet + prefix + permissions + r'\s+@@FILENAME@@' + suffix
|
||||
# filename with quotes, reverse syntax
|
||||
sniplet = sniplet + prefix + permissions + r'\s+"@@FILENAME@@"+' + suffix
|
||||
|
||||
return sniplet
|
||||
return sniplet
|
||||
|
||||
|
||||
filerule = ''
|
||||
filerule = filerule + create_file_rule ( 'sdEntryWriteExec ', r'(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@', 'write + exec/mmap - danger! (known bug: accepts aw to keep things simple)' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryUX', r'(r|m|k|ux|pux)+@@TRANSITION@@', 'ux(mr) - unconstrained entry, flag the line red. also includes pux which is unconstrained if no profile exists' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryUXe', r'(r|m|k|Ux|PUx)+@@TRANSITION@@', 'Ux(mr) and PUx(mr) - like ux + clean environment' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryPX', r'(r|m|k|px|cx|pix|cix)+@@TRANSITION@@', 'px/cx/pix/cix(mrk) - standard exec entry, flag the line blue' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryPXe', r'(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@', 'Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryIX', r'(r|m|k|ix)+', 'ix(mr) - standard exec entry, flag the line green' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryM', r'(r|m|k)+', 'mr - mmap with PROT_EXEC' )
|
||||
filerule = filerule + create_file_rule('sdEntryWriteExec ', r'(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@', 'write + exec/mmap - danger! (known bug: accepts aw to keep things simple)')
|
||||
filerule = filerule + create_file_rule('sdEntryUX', r'(r|m|k|ux|pux)+@@TRANSITION@@', 'ux(mr) - unconstrained entry, flag the line red. also includes pux which is unconstrained if no profile exists')
|
||||
filerule = filerule + create_file_rule('sdEntryUXe', r'(r|m|k|Ux|PUx)+@@TRANSITION@@', 'Ux(mr) and PUx(mr) - like ux + clean environment')
|
||||
filerule = filerule + create_file_rule('sdEntryPX', r'(r|m|k|px|cx|pix|cix)+@@TRANSITION@@', 'px/cx/pix/cix(mrk) - standard exec entry, flag the line blue')
|
||||
filerule = filerule + create_file_rule('sdEntryPXe', r'(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@', 'Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment')
|
||||
filerule = filerule + create_file_rule('sdEntryIX', r'(r|m|k|ix)+', 'ix(mr) - standard exec entry, flag the line green')
|
||||
filerule = filerule + create_file_rule('sdEntryM', r'(r|m|k)+', 'mr - mmap with PROT_EXEC')
|
||||
|
||||
filerule = filerule + create_file_rule ( 'sdEntryM', r'(r|m|k|x)+', 'special case: deny x is allowed (does not need to be ix, px, ux or cx)', 1)
|
||||
filerule = filerule + create_file_rule('sdEntryM', r'(r|m|k|x)+', 'special case: deny x is allowed (does not need to be ix, px, ux or cx)', 1)
|
||||
#syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
||||
|
||||
|
||||
filerule = filerule + create_file_rule ( 'sdError', r'\S*(w\S*a|a\S*w)\S*', 'write + append is an error' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryW', r'(l|r|w|k)+', 'write entry, flag the line yellow' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryW', r'(l|r|a|k)+', 'append entry, flag the line yellow' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryK', r'[rlk]+', 'read entry + locking, currently no highlighting' )
|
||||
filerule = filerule + create_file_rule ( 'sdEntryR', r'[rl]+', 'read entry, no highlighting' )
|
||||
filerule = filerule + create_file_rule('sdError', r'\S*(w\S*a|a\S*w)\S*', 'write + append is an error')
|
||||
filerule = filerule + create_file_rule('sdEntryW', r'(l|r|w|k)+', 'write entry, flag the line yellow')
|
||||
filerule = filerule + create_file_rule('sdEntryW', r'(l|r|a|k)+', 'append entry, flag the line yellow')
|
||||
filerule = filerule + create_file_rule('sdEntryK', r'[rlk]+', 'read entry + locking, currently no highlighting')
|
||||
filerule = filerule + create_file_rule('sdEntryR', r'[rl]+', 'read entry, no highlighting')
|
||||
|
||||
# " special case: deny x is allowed (doesn't need to be ix, px, ux or cx)
|
||||
# syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
||||
|
|
@ -174,5 +176,4 @@ with open("apparmor.vim.in") as template:
|
|||
sys.stdout.write("\n\n\n\n")
|
||||
|
||||
sys.stdout.write('" file rules added with create_file_rule()\n')
|
||||
sys.stdout.write(re.sub(regex, my_repl, filerule)+'\n')
|
||||
|
||||
sys.stdout.write(re.sub(regex, my_repl, filerule) + '\n')
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue