/usr/lib/python3/dist-packages/apparmor/profile_storage.py is in python3-apparmor 2.12-4ubuntu5.1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | # ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
# Copyright (C) 2014-2017 Christian Boltz <apparmor@cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
from apparmor.common import AppArmorBug, hasher
from apparmor.rule.capability import CapabilityRuleset
from apparmor.rule.change_profile import ChangeProfileRuleset
from apparmor.rule.dbus import DbusRuleset
from apparmor.rule.file import FileRuleset
from apparmor.rule.network import NetworkRuleset
from apparmor.rule.ptrace import PtraceRuleset
from apparmor.rule.rlimit import RlimitRuleset
from apparmor.rule.signal import SignalRuleset
ruletypes = {
'capability': {'ruleset': CapabilityRuleset},
'change_profile': {'ruleset': ChangeProfileRuleset},
'dbus': {'ruleset': DbusRuleset},
'file': {'ruleset': FileRuleset},
'network': {'ruleset': NetworkRuleset},
'ptrace': {'ruleset': PtraceRuleset},
'rlimit': {'ruleset': RlimitRuleset},
'signal': {'ruleset': SignalRuleset},
}
class ProfileStorage:
'''class to store the content (header, rules, comments) of a profilename
Acts like a dict(), but has some additional checks.
'''
def __init__(self, profilename, hat, calledby):
data = dict()
# self.data['info'] isn't used anywhere, but can be helpful in debugging.
data['info'] = {'profile': profilename, 'hat': hat, 'calledby': calledby}
for rule in ruletypes:
data[rule] = ruletypes[rule]['ruleset']()
data['alias'] = dict()
data['include'] = dict()
data['localinclude'] = dict()
data['lvar'] = dict()
data['repo'] = dict()
data['filename'] = ''
data['name'] = ''
data['attachment'] = ''
data['flags'] = ''
data['external'] = False
data['header_comment'] = '' # currently only set by set_profile_flags()
data['initial_comment'] = ''
data['profile_keyword'] = False # currently only set by set_profile_flags()
data['profile'] = False # profile or hat?
data['allow'] = dict()
data['deny'] = dict()
data['allow']['link'] = hasher()
data['deny']['link'] = hasher()
# mount, pivot_root, unix have a .get() fallback to list() - initialize them nevertheless
data['allow']['mount'] = list()
data['deny']['mount'] = list()
data['allow']['pivot_root'] = list()
data['deny']['pivot_root'] = list()
data['allow']['unix'] = list()
data['deny']['unix'] = list()
self.data = data
def __getitem__(self, key):
if key in self.data:
return self.data[key]
else:
raise AppArmorBug('attempt to read unknown key %s' % key)
def __setitem__(self, key, value):
# TODO: Most of the keys (containing *Ruleset, dict(), list() or hasher()) should be read-only.
# Their content needs to be changed, but the container shouldn't
# Note: serialize_profile_from_old_profile.write_prior_segments() and write_prior_segments() expect the container to be writeable!
# TODO: check if value has the expected type
if key in self.data:
self.data[key] = value
else:
raise AppArmorBug('attempt to set unknown key %s' % key)
def get(self, key, fallback=None):
if key in self.data:
return self.data.get(key, fallback)
else:
raise AppArmorBug('attempt to read unknown key %s' % key)
|