From b3c9d8b86bc0dbba593255d89a12198171604d2f Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Mon, 20 Jan 2014 11:51:01 -0800 Subject: [PATCH] utils: address pep8 complaints This patch eliminates the complaints from running: pep8 --ignore=E501 aa-easyprof vim/ (E501 is 'line too long', which I'm not too chuffed about.) Mostly, it's a lot of whitespace touchups, with a few conversions from '==' to 'is'. Commit includes applied feedback from cboltz. Signed-off-by: Steve Beattie Acked-by: Christian Boltz --- utils/aa-easyprof | 3 +- utils/vim/create-apparmor.vim.py | 121 ++++++++++++++++--------------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/utils/aa-easyprof b/utils/aa-easyprof index a042c55ee..da0d1b869 100755 --- a/utils/aa-easyprof +++ b/utils/aa-easyprof @@ -55,11 +55,10 @@ if __name__ == "__main__": files = [os.path.join(easyp.dirs['policygroups'], g)] apparmor.easyprof.print_files(files) sys.exit(0) - elif binary == None: + elif binary is None: error("Must specify full path to binary\n%s" % m) # if we made it here, generate a profile params = apparmor.easyprof.gen_policy_params(binary, opt) p = easyp.gen_policy(**params) sys.stdout.write('%s\n' % p) - diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py index dc10ffb2c..3f17a27d3 100644 --- a/utils/vim/create-apparmor.vim.py +++ b/utils/vim/create-apparmor.vim.py @@ -15,16 +15,17 @@ import subprocess import sys # dangerous capabilities -danger_caps=["audit_control", - "audit_write", - "mac_override", - "mac_admin", - "set_fcap", - "sys_admin", - "sys_module", - "sys_rawio"] +danger_caps = ["audit_control", + "audit_write", + "mac_override", + "mac_admin", + "set_fcap", + "sys_admin", + "sys_module", + "sys_rawio"] -def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None): + +def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, stdin=None, timeout=None): '''Try to execute given command (array) and return its stdout, or return a textual error if it failed.''' @@ -36,12 +37,12 @@ def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.P out, outerr = sp.communicate(input) # Handle redirection of stdout - if out == None: + if out is None: out = '' # Handle redirection of stderr - if outerr == None: + if outerr is None: outerr = '' - return [sp.returncode,out+outerr] + return [sp.returncode, out + outerr] # get capabilities list (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities']) @@ -50,7 +51,7 @@ if rc != 0: exit(rc) capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ") -benign_caps =[] +benign_caps = [] for cap in capabilities: if cap not in danger_caps: benign_caps.append(cap) @@ -73,28 +74,28 @@ for af_pair in af_pairs: # but not in aa_flags... # -> currently (2011-01-11) not, but might come back -aa_network_types=r'\s+tcp|\s+udp|\s+icmp' +aa_network_types = r'\s+tcp|\s+udp|\s+icmp' -aa_flags=['complain', - 'audit', - 'attach_disconnect', - 'no_attach_disconnected', - 'chroot_attach', - 'chroot_no_attach', - 'chroot_relative', - 'namespace_relative'] +aa_flags = ['complain', + 'audit', + 'attach_disconnect', + 'no_attach_disconnected', + 'chroot_attach', + 'chroot_no_attach', + 'chroot_relative', + 'namespace_relative'] -filename=r'(\/|\@\{\S*\})\S*' +filename = r'(\/|\@\{\S*\})\S*' aa_regex_map = { 'FILENAME': filename, - 'FILE': r'\v^\s*(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule + 'FILE': r'\v^\s*(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule # (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_) - 'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE + 'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE 'auditdenyowner': r'(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?', - 'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner + 'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner 'auditdeny': r'(audit\s+)?(deny\s+|allow\s+)?', - 'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*) + 'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*) 'TRANSITION': r'(\s+-\>\s+\S+)?', 'sdKapKey': " ".join(benign_caps), 'sdKapKeyDanger': " ".join(danger_caps), @@ -104,6 +105,7 @@ aa_regex_map = { 'flags': r'((flags\s*\=\s*)?\(\s*(' + '|'.join(aa_flags) + r')(\s*,\s*(' + '|'.join(aa_flags) + r'))*\s*\)\s+)', } + def my_repl(matchobj): matchobj.group(1) if matchobj.group(1) in aa_regex_map: @@ -112,48 +114,48 @@ def my_repl(matchobj): return matchobj.group(0) -def create_file_rule (highlighting, permissions, comment, denyrule = 0): +def create_file_rule(highlighting, permissions, comment, denyrule=0): - if denyrule == 0: - keywords = '@@auditdenyowner@@' - else: - keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?' + if denyrule == 0: + keywords = '@@auditdenyowner@@' + else: + keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be '(audit\s+)?deny\s+(owner\s+)?' - sniplet = '' - sniplet = sniplet + "\n" + '" ' + comment + "\n" + sniplet = '' + sniplet = sniplet + "\n" + '" ' + comment + "\n" - prefix = r'syn match ' + highlighting + r' /\v^\s*' + keywords - suffix = r'@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' + "\n" - # filename without quotes - sniplet = sniplet + prefix + r'@@FILENAME@@\s+' + permissions + suffix - # filename with quotes - sniplet = sniplet + prefix + r'"@@FILENAME@@"\s+' + permissions + suffix - # filename without quotes, reverse syntax - sniplet = sniplet + prefix + permissions + r'\s+@@FILENAME@@' + suffix - # filename with quotes, reverse syntax - sniplet = sniplet + prefix + permissions + r'\s+"@@FILENAME@@"+' + suffix + prefix = r'syn match ' + highlighting + r' /\v^\s*' + keywords + suffix = r'@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude' + "\n" + # filename without quotes + sniplet = sniplet + prefix + r'@@FILENAME@@\s+' + permissions + suffix + # filename with quotes + sniplet = sniplet + prefix + r'"@@FILENAME@@"\s+' + permissions + suffix + # filename without quotes, reverse syntax + sniplet = sniplet + prefix + permissions + r'\s+@@FILENAME@@' + suffix + # filename with quotes, reverse syntax + sniplet = sniplet + prefix + permissions + r'\s+"@@FILENAME@@"+' + suffix - return sniplet + return sniplet filerule = '' -filerule = filerule + create_file_rule ( 'sdEntryWriteExec ', r'(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@', 'write + exec/mmap - danger! (known bug: accepts aw to keep things simple)' ) -filerule = filerule + create_file_rule ( 'sdEntryUX', r'(r|m|k|ux|pux)+@@TRANSITION@@', 'ux(mr) - unconstrained entry, flag the line red. also includes pux which is unconstrained if no profile exists' ) -filerule = filerule + create_file_rule ( 'sdEntryUXe', r'(r|m|k|Ux|PUx)+@@TRANSITION@@', 'Ux(mr) and PUx(mr) - like ux + clean environment' ) -filerule = filerule + create_file_rule ( 'sdEntryPX', r'(r|m|k|px|cx|pix|cix)+@@TRANSITION@@', 'px/cx/pix/cix(mrk) - standard exec entry, flag the line blue' ) -filerule = filerule + create_file_rule ( 'sdEntryPXe', r'(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@', 'Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment' ) -filerule = filerule + create_file_rule ( 'sdEntryIX', r'(r|m|k|ix)+', 'ix(mr) - standard exec entry, flag the line green' ) -filerule = filerule + create_file_rule ( 'sdEntryM', r'(r|m|k)+', 'mr - mmap with PROT_EXEC' ) +filerule = filerule + create_file_rule('sdEntryWriteExec ', r'(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@', 'write + exec/mmap - danger! (known bug: accepts aw to keep things simple)') +filerule = filerule + create_file_rule('sdEntryUX', r'(r|m|k|ux|pux)+@@TRANSITION@@', 'ux(mr) - unconstrained entry, flag the line red. also includes pux which is unconstrained if no profile exists') +filerule = filerule + create_file_rule('sdEntryUXe', r'(r|m|k|Ux|PUx)+@@TRANSITION@@', 'Ux(mr) and PUx(mr) - like ux + clean environment') +filerule = filerule + create_file_rule('sdEntryPX', r'(r|m|k|px|cx|pix|cix)+@@TRANSITION@@', 'px/cx/pix/cix(mrk) - standard exec entry, flag the line blue') +filerule = filerule + create_file_rule('sdEntryPXe', r'(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@', 'Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment') +filerule = filerule + create_file_rule('sdEntryIX', r'(r|m|k|ix)+', 'ix(mr) - standard exec entry, flag the line green') +filerule = filerule + create_file_rule('sdEntryM', r'(r|m|k)+', 'mr - mmap with PROT_EXEC') -filerule = filerule + create_file_rule ( 'sdEntryM', r'(r|m|k|x)+', 'special case: deny x is allowed (does not need to be ix, px, ux or cx)', 1) +filerule = filerule + create_file_rule('sdEntryM', r'(r|m|k|x)+', 'special case: deny x is allowed (does not need to be ix, px, ux or cx)', 1) #syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -filerule = filerule + create_file_rule ( 'sdError', r'\S*(w\S*a|a\S*w)\S*', 'write + append is an error' ) -filerule = filerule + create_file_rule ( 'sdEntryW', r'(l|r|w|k)+', 'write entry, flag the line yellow' ) -filerule = filerule + create_file_rule ( 'sdEntryW', r'(l|r|a|k)+', 'append entry, flag the line yellow' ) -filerule = filerule + create_file_rule ( 'sdEntryK', r'[rlk]+', 'read entry + locking, currently no highlighting' ) -filerule = filerule + create_file_rule ( 'sdEntryR', r'[rl]+', 'read entry, no highlighting' ) +filerule = filerule + create_file_rule('sdError', r'\S*(w\S*a|a\S*w)\S*', 'write + append is an error') +filerule = filerule + create_file_rule('sdEntryW', r'(l|r|w|k)+', 'write entry, flag the line yellow') +filerule = filerule + create_file_rule('sdEntryW', r'(l|r|a|k)+', 'append entry, flag the line yellow') +filerule = filerule + create_file_rule('sdEntryK', r'[rlk]+', 'read entry + locking, currently no highlighting') +filerule = filerule + create_file_rule('sdEntryR', r'[rl]+', 'read entry, no highlighting') # " special case: deny x is allowed (doesn't need to be ix, px, ux or cx) # syn match sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude @@ -174,5 +176,4 @@ with open("apparmor.vim.in") as template: sys.stdout.write("\n\n\n\n") sys.stdout.write('" file rules added with create_file_rule()\n') -sys.stdout.write(re.sub(regex, my_repl, filerule)+'\n') - +sys.stdout.write(re.sub(regex, my_repl, filerule) + '\n')