def __init__(self, access, peer, audit=False, deny=False, allow_keyword=False, comment='', log_event=None): super(PtraceRule, self).__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) self.access, self.all_access, unknown_items = check_and_split_list( access, access_keywords, PtraceRule.ALL, 'PtraceRule', 'access') if unknown_items: raise AppArmorException( _('Passed unknown access keyword to PtraceRule: %s') % ' '.join(unknown_items)) self.peer, self.all_peers = self._aare_or_all(peer, 'peer', is_path=False, log_event=log_event)
def __init__(self, access, signal, peer, audit=False, deny=False, allow_keyword=False, comment='', log_event=None): super(SignalRule, self).__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) self.access, self.all_access, unknown_items = check_and_split_list( access, access_keywords, SignalRule.ALL, 'SignalRule', 'access') if unknown_items: raise AppArmorException( _('Passed unknown access keyword to SignalRule: %s') % ' '.join(unknown_items)) self.signal, self.all_signals, unknown_items = check_and_split_list( signal, signal_keywords, SignalRule.ALL, 'SignalRule', 'signal') if unknown_items: for item in unknown_items: if RE_SIGNAL_REALTIME.match(item): self.signal.add(item) else: raise AppArmorException( _('Passed unknown signal keyword to SignalRule: %s') % item) self.peer, self.all_peers = self._aare_or_all(peer, 'peer', is_path=False, log_event=log_event)
def __init__(self, path, perms, exec_perms, target, owner, file_keyword=False, leading_perms=False, audit=False, deny=False, allow_keyword=False, comment='', log_event=None): '''Initialize FileRule Parameters: - path: string, AARE or FileRule.ALL - perms: string, set of chars or FileRule.ALL (must not contain exec mode) - exec_perms: None or string - target: string, AARE or FileRule.ALL - owner: bool - file_keyword: bool - leading_perms: bool ''' super(FileRule, self).__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) # rulepart partperms is_path log_event self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event) self.target, self.all_targets, = self._aare_or_all( target, 'target', False, log_event) self.can_glob = not self.all_paths self.can_glob_ext = not self.all_paths self.can_edit = not self.all_paths if type_is_str(perms): perms, tmp_exec_perms = split_perms(perms, deny) if tmp_exec_perms: raise AppArmorBug('perms must not contain exec perms') elif perms == None: perms = set() if perms == {'subset'}: raise AppArmorBug('subset without link permissions given') elif perms in [{'link'}, {'link', 'subset'}]: self.perms = perms self.all_perms = False else: self.perms, self.all_perms, unknown_items = check_and_split_list( perms, file_permissions, FileRule.ALL, 'FileRule', 'permissions', allow_empty_list=True) if unknown_items: raise AppArmorBug('Passed unknown perms to FileRule: %s' % str(unknown_items)) if self.perms and 'a' in self.perms and 'w' in self.perms: raise AppArmorException( "Conflicting permissions found: 'a' and 'w'") self.original_perms = None # might be set by aa-logprof / aa.py propose_file_rules() if exec_perms is None: self.exec_perms = None elif 'link' in self.perms: raise AppArmorBug("link rules can't have execute permissions") elif exec_perms == self.ANY_EXEC: self.exec_perms = exec_perms elif type_is_str(exec_perms): if deny: if exec_perms != 'x': raise AppArmorException( _("file deny rules only allow to use 'x' as execute mode, but not %s" % exec_perms)) else: if exec_perms == 'x': raise AppArmorException( _("Execute flag ('x') in file rule must specify the exec mode (ix, Px, Cx etc.)" )) elif exec_perms not in allow_exec_transitions and exec_perms not in allow_exec_fallback_transitions: raise AppArmorBug( 'Unknown execute mode specified in file rule: %s' % exec_perms) self.exec_perms = exec_perms else: raise AppArmorBug('Passed unknown perms object to FileRule: %s' % str(perms)) if type(owner) is not bool: raise AppArmorBug('non-boolean value passed to owner flag') self.owner = owner self.can_owner = owner # offer '(O)wner permissions on/off' buttons only if the rule has the owner flag if type(file_keyword) is not bool: raise AppArmorBug('non-boolean value passed to file keyword flag') self.file_keyword = file_keyword if type(leading_perms) is not bool: raise AppArmorBug( 'non-boolean value passed to leading permissions flag') self.leading_perms = leading_perms # XXX subset # check for invalid combinations (bare 'file,' vs. path rule) # if (self.all_paths and not self.all_perms) or (not self.all_paths and self.all_perms): # raise AppArmorBug('all_paths and all_perms must be equal') # elif if self.all_paths and (self.exec_perms or self.target): raise AppArmorBug( 'exec perms or target specified for bare file rule')
def __init__(self, access, bus, path, name, interface, member, peername, peerlabel, audit=False, deny=False, allow_keyword=False, comment='', log_event=None): super(DbusRule, self).__init__(audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment, log_event=log_event) self.access, self.all_access, unknown_items = check_and_split_list( access, access_keywords, DbusRule.ALL, 'DbusRule', 'access') if unknown_items: raise AppArmorException( _('Passed unknown access keyword to DbusRule: %s') % ' '.join(unknown_items)) # rulepart partname is_path log_event self.bus, self.all_buses = self._aare_or_all(bus, 'bus', False, log_event) self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event) self.name, self.all_names = self._aare_or_all(name, 'name', False, log_event) self.interface, self.all_interfaces = self._aare_or_all( interface, 'interface', False, log_event) self.member, self.all_members = self._aare_or_all( member, 'member', False, log_event) self.peername, self.all_peernames = self._aare_or_all( peername, 'peer name', False, log_event) self.peerlabel, self.all_peerlabels = self._aare_or_all( peerlabel, 'peer label', False, log_event) # not all combinations are allowed if self.access and 'bind' in self.access and ( self.path or self.interface or self.member or self.peername or self.peerlabel): raise AppArmorException( _('dbus bind rules must not contain a path, interface, member or peer conditional' )) elif self.access and 'eavesdrop' in self.access and ( self.name or self.path or self.interface or self.member or self.peername or self.peerlabel): raise AppArmorException( _('dbus eavesdrop rules must not contain a name, path, interface, member or peer conditional' )) elif self.access and self.name: for msg in message_keywords: if msg in self.access: raise AppArmorException( _('dbus %s rules must not contain a name conditional') % '/'.join(self.access))