def __init__(self,
access,
peer,
audit=False,
deny=False,
allow_keyword=False,
comment='',
log_event=None):
super(PtraceRule, self).__init__(audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment,
log_event=log_event)
self.access, self.all_access, unknown_items = check_and_split_list(
access, access_keywords, PtraceRule.ALL, 'PtraceRule', 'access')
if unknown_items:
raise AppArmorException(
_('Passed unknown access keyword to PtraceRule: %s') %
' '.join(unknown_items))
self.peer, self.all_peers = self._aare_or_all(peer,
'peer',
is_path=False,
log_event=log_event)
def __init__(self,
access,
signal,
peer,
audit=False,
deny=False,
allow_keyword=False,
comment='',
log_event=None):
super(SignalRule, self).__init__(audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment,
log_event=log_event)
self.access, self.all_access, unknown_items = check_and_split_list(
access, access_keywords, SignalRule.ALL, 'SignalRule', 'access')
if unknown_items:
raise AppArmorException(
_('Passed unknown access keyword to SignalRule: %s') %
' '.join(unknown_items))
self.signal, self.all_signals, unknown_items = check_and_split_list(
signal, signal_keywords, SignalRule.ALL, 'SignalRule', 'signal')
if unknown_items:
for item in unknown_items:
if RE_SIGNAL_REALTIME.match(item):
self.signal.add(item)
else:
raise AppArmorException(
_('Passed unknown signal keyword to SignalRule: %s') %
item)
self.peer, self.all_peers = self._aare_or_all(peer,
'peer',
is_path=False,
log_event=log_event)
def __init__(self,
path,
perms,
exec_perms,
target,
owner,
file_keyword=False,
leading_perms=False,
audit=False,
deny=False,
allow_keyword=False,
comment='',
log_event=None):
'''Initialize FileRule
Parameters:
- path: string, AARE or FileRule.ALL
- perms: string, set of chars or FileRule.ALL (must not contain exec mode)
- exec_perms: None or string
- target: string, AARE or FileRule.ALL
- owner: bool
- file_keyword: bool
- leading_perms: bool
'''
super(FileRule, self).__init__(audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment,
log_event=log_event)
# rulepart partperms is_path log_event
self.path, self.all_paths = self._aare_or_all(path, 'path', True,
log_event)
self.target, self.all_targets, = self._aare_or_all(
target, 'target', False, log_event)
self.can_glob = not self.all_paths
self.can_glob_ext = not self.all_paths
self.can_edit = not self.all_paths
if type_is_str(perms):
perms, tmp_exec_perms = split_perms(perms, deny)
if tmp_exec_perms:
raise AppArmorBug('perms must not contain exec perms')
elif perms == None:
perms = set()
if perms == {'subset'}:
raise AppArmorBug('subset without link permissions given')
elif perms in [{'link'}, {'link', 'subset'}]:
self.perms = perms
self.all_perms = False
else:
self.perms, self.all_perms, unknown_items = check_and_split_list(
perms,
file_permissions,
FileRule.ALL,
'FileRule',
'permissions',
allow_empty_list=True)
if unknown_items:
raise AppArmorBug('Passed unknown perms to FileRule: %s' %
str(unknown_items))
if self.perms and 'a' in self.perms and 'w' in self.perms:
raise AppArmorException(
"Conflicting permissions found: 'a' and 'w'")
self.original_perms = None # might be set by aa-logprof / aa.py propose_file_rules()
if exec_perms is None:
self.exec_perms = None
elif 'link' in self.perms:
raise AppArmorBug("link rules can't have execute permissions")
elif exec_perms == self.ANY_EXEC:
self.exec_perms = exec_perms
elif type_is_str(exec_perms):
if deny:
if exec_perms != 'x':
raise AppArmorException(
_("file deny rules only allow to use 'x' as execute mode, but not %s"
% exec_perms))
else:
if exec_perms == 'x':
raise AppArmorException(
_("Execute flag ('x') in file rule must specify the exec mode (ix, Px, Cx etc.)"
))
elif exec_perms not in allow_exec_transitions and exec_perms not in allow_exec_fallback_transitions:
raise AppArmorBug(
'Unknown execute mode specified in file rule: %s' %
exec_perms)
self.exec_perms = exec_perms
else:
raise AppArmorBug('Passed unknown perms object to FileRule: %s' %
str(perms))
if type(owner) is not bool:
raise AppArmorBug('non-boolean value passed to owner flag')
self.owner = owner
self.can_owner = owner # offer '(O)wner permissions on/off' buttons only if the rule has the owner flag
if type(file_keyword) is not bool:
raise AppArmorBug('non-boolean value passed to file keyword flag')
self.file_keyword = file_keyword
if type(leading_perms) is not bool:
raise AppArmorBug(
'non-boolean value passed to leading permissions flag')
self.leading_perms = leading_perms
# XXX subset
# check for invalid combinations (bare 'file,' vs. path rule)
# if (self.all_paths and not self.all_perms) or (not self.all_paths and self.all_perms):
# raise AppArmorBug('all_paths and all_perms must be equal')
# elif
if self.all_paths and (self.exec_perms or self.target):
raise AppArmorBug(
'exec perms or target specified for bare file rule')
def __init__(self,
access,
bus,
path,
name,
interface,
member,
peername,
peerlabel,
audit=False,
deny=False,
allow_keyword=False,
comment='',
log_event=None):
super(DbusRule, self).__init__(audit=audit,
deny=deny,
allow_keyword=allow_keyword,
comment=comment,
log_event=log_event)
self.access, self.all_access, unknown_items = check_and_split_list(
access, access_keywords, DbusRule.ALL, 'DbusRule', 'access')
if unknown_items:
raise AppArmorException(
_('Passed unknown access keyword to DbusRule: %s') %
' '.join(unknown_items))
# rulepart partname is_path log_event
self.bus, self.all_buses = self._aare_or_all(bus, 'bus', False,
log_event)
self.path, self.all_paths = self._aare_or_all(path, 'path', True,
log_event)
self.name, self.all_names = self._aare_or_all(name, 'name', False,
log_event)
self.interface, self.all_interfaces = self._aare_or_all(
interface, 'interface', False, log_event)
self.member, self.all_members = self._aare_or_all(
member, 'member', False, log_event)
self.peername, self.all_peernames = self._aare_or_all(
peername, 'peer name', False, log_event)
self.peerlabel, self.all_peerlabels = self._aare_or_all(
peerlabel, 'peer label', False, log_event)
# not all combinations are allowed
if self.access and 'bind' in self.access and (
self.path or self.interface or self.member or self.peername
or self.peerlabel):
raise AppArmorException(
_('dbus bind rules must not contain a path, interface, member or peer conditional'
))
elif self.access and 'eavesdrop' in self.access and (
self.name or self.path or self.interface or self.member
or self.peername or self.peerlabel):
raise AppArmorException(
_('dbus eavesdrop rules must not contain a name, path, interface, member or peer conditional'
))
elif self.access and self.name:
for msg in message_keywords:
if msg in self.access:
raise AppArmorException(
_('dbus %s rules must not contain a name conditional')
% '/'.join(self.access))
