mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
aaa244c5ec
Change aa.py to use FileRule and FileRuleset for parsing and saving
profiles.
In detail, this means:
- add 'file' to the list of rule classes to enable it at various places
- store file rules in aa[profile][hat]['file'] (not 'path' as before)
to be consistent with the FileRule name
- drop the no longer needed delete_path_duplicates() - this is now
handled by FileRuleset like in all other rule classes.
(same change in cleanprofile.py)
- replace usage of RE_PROFILE_BARE_FILE_ENTRY and RE_PROFILE_PATH_ENTRY
with FileRule.match()
- drop write_path_rules() and write_paths() and replace them with the
new write_file() function.
- adjust several code sections to use write_file() and 'file' instead of
'path'
FileRule doesn't drop optional keywords ('allow' and 'file'), therefore
adjust cleanprof_test.out to the changed behaviour. (If someone insists
on dropping optional keywords in aa-cleanprof, that's something for a
future patch.)
Also adjust the list of known failures in test-parser-simple-tests.py -
switching to FileRule avoids several test failures (and introduces a few
new ones ;-)
IMPORTANT:
This patch introduces a "brain split" which means
- parsing and writing the profile and aa-cleanprof use the new location
(aa[profile][hat]['file'])
- aa-logprof and aa-genprof still save data to the old location
(aa[profile][hat]['allow']['path']) and probably ask superfluous
questions because there are no rules existing in the old location
TL;DR: don't try aa-logprof or aa-genprof with only this patch applied.
I know this isn't ideal, but still better than an even bigger and
totally unreadable patch ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
38 lines
594 B
Text
38 lines
594 B
Text
#include <tunables/global>
|
|
|
|
# A simple test comment which will persist
|
|
|
|
|
|
/usr/bin/a/simple/cleanprof/test/profile {
|
|
#include <abstractions/base>
|
|
|
|
set rlimit nofile <= 256,
|
|
|
|
audit capability,
|
|
|
|
network stream,
|
|
|
|
dbus send bus=session,
|
|
|
|
signal set=(abrt alrm bus chld fpe hup ill int kill pipe quit segv stkflt term trap usr1 usr2),
|
|
|
|
unix (receive) type=dgram,
|
|
|
|
allow /home/*/** r,
|
|
allow /home/foo/** w,
|
|
|
|
change_profile,
|
|
|
|
|
|
^foo {
|
|
capability dac_override,
|
|
|
|
/etc/fstab r,
|
|
|
|
}
|
|
}
|
|
/usr/bin/other/cleanprof/test/profile {
|
|
allow /home/*/** rw,
|
|
allow /home/foo/bar r,
|
|
|
|
}
|