def __init__(self, dbname=None, default_rank=10):
"""Initialises the class object"""
self.PROF_DIR = '/etc/apparmor.d' # The profile directory
self.NOT_IMPLEMENTED = '_-*not*implemented*-_' # used for rule types that don't have severity ratings
self.severity = dict()
self.severity['DATABASENAME'] = dbname
self.severity['CAPABILITIES'] = {}
self.severity['FILES'] = {}
self.severity['REGEXPS'] = {}
self.severity['DEFAULT_RANK'] = default_rank
# For variable expansions for the profile
self.severity['VARIABLES'] = dict()
if not dbname:
raise AppArmorException("No severity db file given")
with open_file_read(dbname) as database: # open(dbname, 'r')
for lineno, line in enumerate(database, start=1):
line = line.strip() # or only rstrip and lstrip?
if line == '' or line.startswith('#'):
continue
if line.startswith('/'):
try:
path, read, write, execute = line.split()
read, write, execute = int(read), int(write), int(execute)
except ValueError:
raise AppArmorException("Insufficient values for permissions in file: %s\n\t[Line %s]: %s" % (dbname, lineno, line))
else:
if read not in range(0, 11) or write not in range(0, 11) or execute not in range(0, 11):
raise AppArmorException("Inappropriate values for permissions in file: %s\n\t[Line %s]: %s" % (dbname, lineno, line))
path = path.lstrip('/')
if '*' not in path:
self.severity['FILES'][path] = {'r': read, 'w': write, 'x': execute}
else:
ptr = self.severity['REGEXPS']
pieces = path.split('/')
for index, piece in enumerate(pieces):
if '*' in piece:
path = '/'.join(pieces[index:])
regexp = convert_regexp(path)
ptr[regexp] = {'AA_RANK': {'r': read, 'w': write, 'x': execute}}
break
else:
ptr[piece] = ptr.get(piece, {})
ptr = ptr[piece]
elif line.startswith('CAP_'):
try:
resource, severity = line.split()
severity = int(severity)
except ValueError:
error_message = 'No severity value present in file: %s\n\t[Line %s]: %s' % (dbname, lineno, line)
#error(error_message)
raise AppArmorException(error_message) # from None
else:
if severity not in range(0, 11):
raise AppArmorException("Inappropriate severity value present in file: %s\n\t[Line %s]: %s" % (dbname, lineno, line))
self.severity['CAPABILITIES'][resource] = severity
else:
raise AppArmorException("Unexpected line in file: %s\n\t[Line %s]: %s" % (dbname, lineno, line))
def _run_test(self, params, expected):
regex, path = params
parsed_regex = re.compile(convert_regexp(regex))
self.assertEqual(bool(parsed_regex.search(path)), expected, 'Incorrectly Parsed regex: %s' %regex)
aare_obj = AARE(regex, True)
self.assertEqual(aare_obj.match(path), expected, 'Incorrectly parsed AARE object: %s' % regex)
if not ('*' in path or '{' in path or '}' in path or '?' in path):
self.assertEqual(aare_obj.match(AARE(path, False)), expected, 'Incorrectly parsed AARE object: AARE(%s)' % regex)
def _run_test(self, params, expected):
regex, path = params
parsed_regex = re.compile(convert_regexp(regex))
self.assertEqual(bool(parsed_regex.search(path)), expected,
'Incorrectly Parsed regex: %s' % regex)
aare_obj = AARE(regex, True)
self.assertEqual(aare_obj.match(path), expected,
'Incorrectly parsed AARE object: %s' % regex)
def match(self, expression):
'''check if the given expression (string or AARE) matches the regex'''
if type(expression) == AARE:
if expression.orig_regex:
expression = expression.orig_regex
else:
return self.is_equal(expression) # better safe than sorry
elif not type_is_str(expression):
raise AppArmorBug('AARE.match() called with unknown object: %s' %
str(expression))
if self._regex_compiled is None:
self._regex_compiled = re.compile(convert_regexp(self.regex))
return bool(self._regex_compiled.match(expression))
def _run_test(self, params, expected):
self.assertEqual(convert_regexp(params), expected)
def __init__(self, dbname=None, default_rank=10):
"""Initialises the class object"""
self.PROF_DIR = '/etc/apparmor.d' # The profile directory
self.NOT_IMPLEMENTED = '_-*not*implemented*-_' # used for rule types that don't have severity ratings
self.severity = dict()
self.severity['DATABASENAME'] = dbname
self.severity['CAPABILITIES'] = {}
self.severity['FILES'] = {}
self.severity['REGEXPS'] = {}
self.severity['DEFAULT_RANK'] = default_rank
# For variable expansions for the profile
self.severity['VARIABLES'] = dict()
if not dbname:
raise AppArmorException("No severity db file given")
with open_file_read(dbname) as database: # open(dbname, 'r')
for lineno, line in enumerate(database, start=1):
line = line.strip() # or only rstrip and lstrip?
if line == '' or line.startswith('#'):
continue
if line.startswith('/'):
try:
path, read, write, execute = line.split()
read, write, execute = int(read), int(write), int(
execute)
except ValueError:
raise AppArmorException(
"Insufficient values for permissions in file: %s\n\t[Line %s]: %s"
% (dbname, lineno, line))
else:
if read not in range(0, 11) or write not in range(
0, 11) or execute not in range(0, 11):
raise AppArmorException(
"Inappropriate values for permissions in file: %s\n\t[Line %s]: %s"
% (dbname, lineno, line))
path = path.lstrip('/')
if '*' not in path:
self.severity['FILES'][path] = {
'r': read,
'w': write,
'x': execute
}
else:
ptr = self.severity['REGEXPS']
pieces = path.split('/')
for index, piece in enumerate(pieces):
if '*' in piece:
path = '/'.join(pieces[index:])
regexp = convert_regexp(path)
ptr[regexp] = {
'AA_RANK': {
'r': read,
'w': write,
'x': execute
}
}
break
else:
ptr[piece] = ptr.get(piece, {})
ptr = ptr[piece]
elif line.startswith('CAP_'):
try:
resource, severity = line.split()
severity = int(severity)
except ValueError:
error_message = 'No severity value present in file: %s\n\t[Line %s]: %s' % (
dbname, lineno, line)
#error(error_message)
raise AppArmorException(error_message) # from None
else:
if severity not in range(0, 11):
raise AppArmorException(
"Inappropriate severity value present in file: %s\n\t[Line %s]: %s"
% (dbname, lineno, line))
self.severity['CAPABILITIES'][resource] = severity
else:
raise AppArmorException(
"Unexpected line in file: %s\n\t[Line %s]: %s" %
(dbname, lineno, line))
def in_subtree(subtree, topic):
for uri in subtree:
regex_obj = re.compile(convert_regexp(uri.value))
if regex_obj.search(topic):
return True
return False