[prev in list] [next in list] [prev in thread] [next in thread]
List: apparmor-dev
Subject: Re: [apparmor] [patch] Update cleanprof to also delete superfluous signal etc. rules
From: Kshitij Gupta <kgupta8592 () gmail ! com>
Date: 2015-11-18 22:37:07
Message-ID: CAMBXP52UX6monKaZRhVyZke5G23WimpCeNQ4+W=vgZ_JL-rE0Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Fri, Oct 23, 2015 at 8:51 PM, Christian Boltz <apparmor@cboltz.de> wrote:
> Hello,
>
> besides 'signal', also 'change_profile' and 'rlimit' cleanup was missing
> for the main profile.
>
> In aa.py delete_duplicates() (used to check includes), only 'signal' was
> missing.
>
>
>
> [ 10-cleanprof-more-rule-types.diff ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-10-23 15:15:05.562818747 +0200
> +++ utils/apparmor/aa.py 2015-10-23 17:08:32.594881219 +0200
> @@ -2113,7 +2113,7 @@
> # Allow rules covered by denied rules shouldn't be deleted
> # only a subset allow rules may actually be denied
>
> - ruletypes = ['capability', 'change_profile', 'network', 'rlimit']
> + ruletypes = ['capability', 'change_profile', 'network', 'rlimit',
> 'signal']
>
> if include.get(incname, False):
> for rule_type in ruletypes:
> === modified file ./utils/apparmor/cleanprofile.py
> --- utils/apparmor/cleanprofile.py 2015-06-18 23:50:22.428586163 +0200
> +++ utils/apparmor/cleanprofile.py 2015-10-23 17:03:58.344857512 +0200
> @@ -64,12 +64,11 @@
> deleted +=
> apparmor.delete_duplicates(self.other.aa[program][hat], inc)
>
> #Clean duplicate rules in other profile
> - if not self.same_file:
> - deleted +=
> self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
>
> - deleted +=
> self.other.aa[program][hat]['network'].delete_duplicates(self.profile.aa[program][hat]['network'])
>
> - else:
> - deleted +=
> self.other.aa[program][hat]['capability'].delete_duplicates(None)
> - deleted +=
> self.other.aa[program][hat]['network'].delete_duplicates(None)
> + for ruletype in ['capability', 'change_profile', 'network',
> 'rlimit', 'signal']:
>
Maybe move this as a list somewhere up: KNOWN_RULE_TYPES = ['capability',
'change_profile', 'network', 'rlimit', 'signal']
+ if not self.same_file:
> + deleted +=
> self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype])
> + else:
> + deleted +=
> self.other.aa[program][hat][ruletype].delete_duplicates(None)
>
> #Clean the duplicates of path in other profile
> deleted +=
> delete_path_duplicates(self.profile.aa[program][hat],
> self.other.aa[program][hat], 'allow', self.same_file)
>
>
> Thanks for the patch.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
>
> Regards,
>
> Christian Boltz
> --
> > O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es
> dann so ein Pyramidenschema? Bekommt man eine Prämie, wenn man einen
> weiteren Newbie in sein Unglück lockt? [Thorsten Haude in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
Regards,
Kshitij Gupta
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct \
23, 2015 at 8:51 PM, Christian Boltz <span dir="ltr"><<a \
href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br> <br>
besides 'signal', also 'change_profile' and 'rlimit' cleanup \
was missing<br> for the main profile.<br>
<br>
In aa.py delete_duplicates() (used to check includes), only 'signal' was<br>
missing.<br>
<br>
<br>
<br>
[ 10-cleanprof-more-rule-types.diff ]<br>
<br>
=== modified file ./utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py 2015-10-23 15:15:05.562818747 +0200<br>
+++ utils/apparmor/aa.py 2015-10-23 17:08:32.594881219 +0200<br>
@@ -2113,7 +2113,7 @@<br>
# Allow rules covered by denied rules shouldn't be deleted<br>
# only a subset allow rules may actually be denied<br>
<br>
- ruletypes = ['capability', 'change_profile', \
'network', 'rlimit']<br> + ruletypes = ['capability', \
'change_profile', 'network', 'rlimit', 'signal']<br> \
<br> if include.get(incname, False):<br>
for rule_type in ruletypes:<br>
=== modified file ./utils/apparmor/cleanprofile.py<br>
--- utils/apparmor/cleanprofile.py 2015-06-18 23:50:22.428586163 +0200<br>
+++ utils/apparmor/cleanprofile.py 2015-10-23 17:03:58.344857512 +0200<br>
@@ -64,12 +64,11 @@<br>
deleted += \
apparmor.delete_duplicates(self.other.aa[program][hat], inc)<br> <br>
#Clean duplicate rules in other profile<br>
- if not self.same_file:<br>
- deleted += \
self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])<br>
- deleted += \
self.other.aa[program][hat]['network'].delete_duplicates(self.profile.aa[program][hat]['network'])<br>
- else:<br>
- deleted += \
self.other.aa[program][hat]['capability'].delete_duplicates(None)<br>
- deleted += \
self.other.aa[program][hat]['network'].delete_duplicates(None)<br> + \
for ruletype in ['capability', 'change_profile', 'network', \
'rlimit', 'signal']:<br></blockquote><div>Maybe move this as a list \
somewhere up: KNOWN_RULE_TYPES = ['capability', 'change_profile', \
'network', 'rlimit', 'signal']<br><br> </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> + if not \
self.same_file:<br> + deleted += \
self.other.aa[program][hat][ruletype].delete_duplicates(self.profile.aa[program][hat][ruletype])<br>
+ else:<br>
+ deleted += \
self.other.aa[program][hat][ruletype].delete_duplicates(None)<br> <br>
#Clean the duplicates of path in other profile<br>
deleted += delete_path_duplicates(self.profile.aa[program][hat], \
self.other.aa[program][hat], 'allow', self.same_file)<br> <br>
<br></blockquote><div>Thanks for the patch.<br><br>Acked-by: Kshitij Gupta <<a \
href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>> \
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
> O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es<br>
dann so ein Pyramidenschema? Bekommt man eine Prämie, wenn man einen<br>
weiteren Newbie in sein Unglück lockt? [Thorsten Haude in suse-linux]<br>
<br>
<br>
--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a \
href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" \
target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br> \
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div \
class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij \
Gupta<br></div></div> </div></div>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic