HEX
Server: LiteSpeed
System: Linux php-prod-1.spaceapp.ru 5.15.0-157-generic #167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 x86_64
User: xnsbb3110 (1041)
PHP: 8.1.33
Disabled: NONE
$ pwd: /proc/676643/root/lib/python3/dist-packages/apparmor/__pycache__/
Upload Files
File: //proc/676643/root/lib/python3/dist-packages/apparmor/__pycache__/aa.cpython-310.pyc
o

T��e��@sddlmZmZddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZ
ddlZ
ddlZ
ddlmZddlmZddlmZmZmZmZmZmZmZmZmZmZddlm Z!ddl"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7m8Z8ddl9m:Z;dd	l<m=Z=dd
l>m?Z?ddl@mAZAddlBmCZCdd
lDmEZEddlFmGZGddlHmIZIddlJmKZKddlLmMZMddlNmOZOddlPmQZQddlRmSZSddlTmUZUddlVmWZWddlXmYZYeY�ZZed�Z[da\da]da^da_da`daadabdaced�aee4�afe4�ZgiZhe�Zie�aje�ake�Zled�ZmgZned�Zodd�Zpdd�Zqe
�req�dd�Zsdd �Ztd�d#d$�Zud%d&�Zvd'd(�Zwd)d*�Zxd�d,d-�Zyd�d.d/�Zzd0d1�Z{d2d3�Z|d4d5�Z}d6d7�Z~d8d9�Zd:d;�Z�d<d=�Z�d>d?�Z�d@dA�Z�dBdC�Z�dDdE�Z�dFdG�Z�dHdI�Z�d�dJdK�Z�dLdM�Z�dNdO�Z�dPdQ�Z�d�dSdT�Z�dUdV�Z�dWdX�Z�dYdZ�Z�d[d\�Z�d]d^�Z�d_d`�Z�dadb�Z�dcdd�Z�dedf�Z�dgdh�Z�didj�Z�dkdl�Z�dmdn�Z�dodp�Z�dqdr�Z�dsdt�Z�dudv�Z�dwdx�Z�dydz�Z�d{d|�Z�d�d}d~�Z�d�dd��Z�d�d�d��Z�d�d��Z�d�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d�d��Z�d�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d�d„Z�dS)��)�division�with_statementN)�deepcopy)�AARE)
�AppArmorException�AppArmorBug�is_skippable_file�open_file_read�
valid_path�hasher�
split_name�type_is_str�open_file_write�DebugLogger)�RE_PROFILE_START�RE_PROFILE_END�RE_PROFILE_BOOLEAN�RE_PROFILE_CONDITIONAL�RE_PROFILE_CONDITIONAL_VARIABLE�RE_PROFILE_CONDITIONAL_BOOLEAN�RE_PROFILE_CHANGE_HAT�RE_PROFILE_HAT_DEF�RE_PROFILE_MOUNT�RE_PROFILE_PIVOT_ROOT�RE_PROFILE_UNIX�RE_RULE_HAS_COMMA�RE_HAS_COMMENT_SPLIT�strip_quotes�parse_profile_start_line�re_match_include)�ProfileList)�ProfileStorage�add_or_remove_flag�	ruletypes)�AbiRule)�	AliasRule)�CapabilityRule)�ChangeProfileRule)�DbusRule)�FileRule)�IncludeRule)�NetworkRule)�
PtraceRule)�
RlimitRule)�
SignalRule)�VariableRule)�MessageQueueRule)�quote_if_needed)�init_translation�aacCst�at�at�at�adS)z] Reset the most important global variables

        Used by aa-mergeprof and some tests.
    N)rr3�dict�includer �active_profiles�original_aa�r8r8�-/usr/lib/python3/dist-packages/apparmor/aa.py�reset_aars
r:cCst�d�t��dS)z:Shutdowns the logger and records exit if debugging enabledz	Exiting..N)�debug_logger�debug�shutdownr8r8r8r9�on_exits
r>cCs�tj�|�sdSt�|�j}|dkrdSt|d��}|D]}d|vs&d|vr/Wd�dSqWd�dS1s;wYdS)z�Returns True if specified program contains references to LD_PRELOAD or
    LD_LIBRARY_PATH to give the Px/Ux code better suggestionsFi���rbs
LD_PRELOADsLD_LIBRARY_PATHNT)�os�path�isfile�stat�st_size�open)�file�size�f_in�liner8r8r9�check_for_LD_XXX�s ��
��rJcCsFt�t���}d�|�}|d|}t�|�t�|�t�	d�dS)N�z

�)
�	traceback�format_list�
extract_stack�joinr;�error�aaui�UI_Important�sys�exit)�message�tb_stackr8r8r9�fatal_error�s


rX�/proc/filesystems�/proc/mountscCs�d}d}t|�r)t|��}|D]
}d|vrd}nqWd�n1s$wYt|�ru|rut|��:}|D]&}|��}t|�dkr\|ddkr\|dd}t|�r\t|d�r\|}n	q6Wd�|SWd�|S1spwY|S)	z<Finds and returns the mountpoint for apparmor None otherwiseFN�
securityfsT�rLz	/apparmorz	/profiles)r
r	�split�len)�
filesystem�mounts�support_securityfs�
aa_mountpointrHrIr]�
mountpointr8r8r9�check_for_apparmor�s:
���
��
�
�
�
�
rdcCsVtjdkr
t�|�St�d��d�}|D]}tj�||�}t�	|tj
�r(|SqdS)z<Returns the executable fullpath for the file, None otherwise)�re�PATH�:N)rT�version_info�shutil�whichr@�getenvr]rArP�access�X_OK)rF�env_dirs�env_dir�env_pathr8r8r9rj�s

�rjcCs�|}d}|�d�stj�t��|�}tj�|�rJ|d7}|dkr(ttd�|�tj�|�\}}t�	|�}|�d�r=|}ntj�||�}tj�|�stj�
|�S)z1Return the full path after resolving any symlinksr�/rL�@z*Followed too many links while resolving %s)�
startswithr@rArP�getcwd�islinkrX�_r]�readlink�realpath)�
original_pathrA�
link_count�direcrF�linkr8r8r9�
get_full_path�s


�r}cCsNd}tj�|�r
t|�}nd|vrt|�}|rt|�}|r%tj�|�r%|SdS)zIReturns the full executable path for the given executable, None otherwiseNrq)r@rA�existsr}rj)�bin_path�full_bin�env_binr8r8r9�find_executable�s
r�FcC�"t�|�}|r	|S|rt|�SdS)z8Returns the full profile name for the given profile nameN)r6�filename_from_profile_name�get_new_profile_filename��profile�get_new�filenamer8r8r9�&get_profile_filename_from_profile_name��
�r�cCr�)z6Returns the full profile name for the given attachmentN)r6�filename_from_attachmentr�r�r8r8r9�$get_profile_filename_from_attachment�r�r�cCs>|�d�r|dd�}nd|}|�dd�}tj�t|�}|S)z"Compose filename for a new profilerqrLN�profile_�.)rs�replacer@rArP�profile_dir)r��full_profilenamer8r8r9r��s
r�cCsP|�t�r|�td�d}||fSt|�}|r&t|d�}tj�|�r&||fSdS)zReturns the profilerLT�NN)rsr�r]r�r�r@rArB)�
prof_filenamer�rr8r8r9�name_to_prof_filenames

r�cC�.t|�\}}|sttd�|�t||�dS)z.Sets the profile to complain mode if it exists�
Can't find %sN)r�rXrv�set_complain�rAr��namer8r8r9�complain�r�cCr�)z-Sets the profile to enforce mode if it existsr�N)r�rXrv�set_enforcer�r8r8r9�enforcer�r�cCsLt�td�|dur|n|�td|�t||gd�d�t||dd�dS)z!Sets the profile to complain modezSetting %s to complain mode.N�disable)r��kill�
unconfined�promptFr�T�rR�UI_Inforv�delete_symlink�change_profile_flags�r��programr8r8r9r�"s
r�cCsHt�td�|dur|n|�td|�td|�t||gd�d�dS)z Sets the profile to enforce modezSetting %s to enforce mode.Nzforce-complainr�)r�r�r�r�Fr�r�r8r8r9r�+s

r�cCsH|}t�dtdt|f|�}||kr tj�|�r"t�|�dSdSdS)N�^%s�%s/%s)�re�subr�r@rAru�remove)�subdirr�rAr|r8r8r9r�2s
�r�cCs�|}tj�|�}|sttd�|��t�dtdt|f|�}tj�|�}tj�	|�s0t�
|�tj�	|�sNz	t�||�WdSttd�||d���dS)NzUnable to find basename for %s.r�r�z.Could not create %(link)s symlink to %(file)s.)r|rF)r@rA�basenamerrvr�r�r��dirnamer~�makedirs�symlink)r�r�rA�bnamer|�symlink_dirr8r8r9�create_symlink8s
�r�c	Cstd}tj�|�r2t|��}z|����}Wn	tyYnw|Wd�S1s+wYdSttd�|��)z'Returns the first/head line of the filerKNz1Unable to read first line from %s: File Not Found)	r@rArBr	�readline�rstrip�UnicodeDecodeErrorrrv)rF�firstrHr8r8r9�headMs
�$�r�c
Cs�z	t�|�}d}Wn3ty$}zttd�|dt|�d���d}~wtjy<}z|j}|j}WYd}~nd}~ww|�	d��
d�}|t|�ddkrS|��||fS)	z^Runs the program with the given args and returns the return code and stdout (as list of lines)rz&Unable to fork: %(program)s
	%(error)s)r�rQNzutf-8�
rLrK)
�
subprocess�check_output�OSErrorrrv�str�CalledProcessError�output�
returncode�decoder]r^�pop)�paramsr��ret�er8r8r9�
get_outputZs
���r�c	Cs�t�d�}t�d�}g}t�td�d��pd}tj�|�r%t�	|tj
�s)td��t||g�\}}|dks9|dkrt|D]8}d	|vrD|Sd
|vrK|Sd|vrR|S|�
|�}|rc|�|��d�q;|�
|�}|rs|�|��d�q;|S)z'Returns a list of paths from ldd outputz^\s*\S+ => (\/\S+)z^\s*(\/\S+)�settings�lddz/usr/bin/lddzCan't find lddrrLznot a dynamic executablezcannot read headerzstatically linked)r��compile�conf�find_first_file�cfg�getr@rArBrl�EX_OKrr��search�append�groups)	rF�pattern1�pattern2�reqsr�r��ldd_outrI�matchr8r8r9�get_reqsns4

�
�
�
�r�cCs�t�}t|�}|rS|��}t|�}|�|d�s%t|�r!|t|�7}d||<t|ddtjddd�}t|d|�sOt|�}|rHt|dddtjdd�}|d�	|�|s	dSdS)	z,Modifies the profile to add the requirementsFT�mrN��owner�	log_eventrFr�r�)
r4r�r�r}r�r)�ALL�
is_known_rule�glob_common�add)r�rA�reqs_processedr��library�library_rule�globbed_libraryr8r8r9�
handle_binfmt�s �r�cCs�tj�|�st�td�|�dStj�|�s"t�td�|�dSt|�}|�d�s-dS|dd��	��
�d}t|�}t�
dd	|�}|d
vrNd}||fS|dkrXd
}||fSt�d|�rdd}||fSt�d|�rpd}||fSd}||fS)a8Check if exec_target is a script.
       If a hashbang is found, check if we have an abstraction for it.

       Returns (interpreter_path, abstraction)
       - interpreter_path is none if exec_target is not a script or doesn't have a hashbang line
       - abstraction is None if no matching abstraction existsz!Execute target %s does not exist!r�z Execute target %s is not a file!z#!r\Nrz
^(/usr)?/bin/rK)�bash�dash�shzabstractions/bash�perlzabstractions/perlz^python([23]|[23]\.[0-9]+)?$zabstractions/pythonz^ruby([0-9]+(\.[0-9]+)*)?$zabstractions/ruby)r@rAr~rRrSrvrBr�rs�stripr]r}r�r�r�)�exec_target�hashbang�interpreter�interpreter_path�abstractionr8r8r9�get_interpreter_and_abstraction�s4

����r�c	Cs�t�}td|d�||<d||d<tj�td�tvr(||d�tddd��n	t	�
td	�d�tj�|�r�tj�
|�r�t|�\}}|r�||d
�t|ddtjdd��||d
�t|dd
tjdd��|r�tj�t|�tvr�||d�t|dd��n	t	�
td	�|�t|||�n||d
�t|ddtjdd��t|||�td��D])}t�||�r�ttd|���D]}|�|d�s�td|d�||<d||d<q�q�|s�t�|�dt|<t�d||��f�||iS)N�NEWzcreate_new_profile()r��flagszabstractions/base�inc_ieFTzCWARNING: Can't find %s, therefore not adding it to the new profile.rF�rr��ixr��
required_hatsz"create_new_profile() required_hatszProfile for %s:
	%s)rr!r@rArPr�r5r�r*rRrSrvr~rBr�r)r�r�r��keysr�r��sortedr]r��createdr��changedr;r<�__str__)�	localfile�is_stub�
local_profiler�r��hatglob�hatr8r8r9�create_new_profile�s<"""�
rcCs>t|d�}tj�|�rt�|�t�|d�rt�|�dSdS)zDDeletes the specified file from the disk and remove it from our listTFN)r�r@rArBr�r3r�r�)�
local_prof�profile_filer8r8r9�delete_profile�s

�rcCsJt�td�d�}|dkr#t�td��tD]}t|�qt�d�dSdS)NzFAre you sure you want to abandon this set of profile changes and exit?�n�yzAbandoning all changes.r)rR�UI_YesNorvr�r�rrTrU)�ans�profr8r8r9�confirm_and_abort�s
�rcCs@t�|d�sdS|t|i}d|||d<|||d}d|||d<t|�}tj�|�s5t�|�d|}|t|||i�|d�i}|g}t��}d	|g|_	gd
�|_
d|_||_d|_
d}d
|vr�d|vr�|��\}}	|||	}
|�||	�|_
|dkr�t�||�n
|d
kr�t�|�|
dSd
|vr�d|vsjdS)z?search for inactive/extra profile, and ask if it should be usedFNr�r�r�rKzInactive local profile for %s)r��profile_data�Profile)�CMD_VIEW_PROFILE�CMD_USE_PROFILE�CMD_CREATE_PROFILE�	CMD_ABORTrrrrr
)�extrasr�r�r6�files�	init_file�serialize_profilerR�PromptQuestion�headers�	functions�default�options�selected�
promptUser�index�UI_ShowFiler�r�)�	prof_name�inactive_profile�
orig_filenamer��uname�profile_hashr�qr
�arg�pr8r8r9�get_profilesD
��


�
r(rKcCs�d}|r
t|�}|sdSn|}|}t�t|�}|st|�}t|d�}||||d<tt|�tt|�|||d}|sL|�d�rLt	�
|||�nt	�
|||�tj�
td�ret	�|tddd��tj�
td�rwt	�|td	dd��t|�dS)
NTr��
attachmentrqz/abi/3.0zabi/3.0Fz/tunables/globalztunables/global)r��read_inactive_profilesr(rr��attach_profile_datar3r7rsr6�add_profiler@rArBr��add_abir$�
add_inc_ier*�write_profile_ui_feedback)�bin_name�pname�bin_fullr
rFr)r8r8r9�autodep4s2�


r3cCs�d}t|��N}|D]C}t�|�rLt||�}|ddur#t|dd�}nt|dd�}|d}|dur7|�|�sA|dusA||dkrL|Wd�Sq	Wd�n1sWwYttd�|��)NrKr)Tr�r�z%s contains no profile)r	rr�rrr�rrv)r�r�r�rHrI�matches�profile_globr8r8r9�get_profile_flagsZs 


&���r6c	Cs�d}|rt|�r|��dkrtd|��t|���}tjd|ddtd�}t�||j	�t
|j	���}|D]�}t�|�r�t
||�}	|	dpDd}
|	d}|	d	}d
�t|||��}
|	ddurdt|	dd
�}nt|	dd�}|durt|�|�s~|dus~||	dkr�d
}|dur�||kr�t�td�|�|	dp�d|
|	d|	dp�d|	dd�}t|t|
�d|dd
�}d|d}nJt�|��rt�|�}	|	�d�p�d}
|	�d�}|	�d�}|	d	}d
�t|||��}
|	�d�p�d}|r�d|}|
r�d|
|||
|f}nd|
|||f}|�|�q3Wd�n	1�swYWd�n	1�s#wYt�|j	|�|�sH|du�r?tdd|i��td||d���dS)z<Reads the old profile file and updates the flags accordinglyFrKzNew flag for %s is empty�w�~)�prefix�suffix�delete�dir�leadingspacer�r�z, r)NTz0Warning: profile %s represents multiple programs�profile_keyword�comment�xattrs)r)r�r>�header_commentr@r\z%s
r�hat_keywordr� %sz%s%s%s flags=(%s) {%s
z%s%s%s {%s
z8%(file)s doesn't contain a valid profile (syntax error?)rFzH%(file)s doesn't contain a valid profile for %(profile)s (syntax error?)�rFr�)r
r�rr	�tempfile�NamedTemporaryFiler�ri�copymoder�rrr�rrPr"rr�rRr�rv�write_headerr^r�group�writer@�renamer)r�r��flag�set_flag�foundrH�	temp_file�f_outrIr4�spacer��	old_flags�newflagsr5�header_datarBrr?r8r8r9r�msl

&

��


����/
�r�cCs0t�|�rdSt|d�}tj�|�rtd��dS)z/Returns True if profile exists, False otherwiseTzGReached strange condition in profile_exists(), please open a bugreport!F)r6r�r�r@rArBr)r��	prof_pathr8r8r9�profile_exists�s

rVcCsg}d}|rAd|vr7|�d�d|vr|�d�d}d|vr%|�d�d}d	|vr0|�d
�d}|r7|�d�d|vr@|�d
�n:d|vrJ|�d�d|vrU|�d�d}d|vr`|�d�d}d	|vrk|�d�d}d|vrt|�d
�|r{|�d�|gd�7}|S)NF�i�CMD_ixr'�CMD_pixT�c�CMD_cixr�CMD_nix�CMD_EXEC_IX_OFF�u�CMD_ux�CMD_cx�CMD_px�CMD_nx�CMD_EXEC_IX_ON��CMD_DENYr�CMD_FINISHED)r�)rr�exec_toggle�ret_list�fallback_toggler8r8r9�build_x_functions�sH





�





rjc
Cs�|D�]@}||D�]8}d|||dvr(|||d��r(t�d|�q	|||dD�]}|�d�d}t|�|d�rCq0d}t�d�D]}t�	||�rXtd|}qJ|}|d	|}t
�|d
�}|dvr�t��}	|	jt
d�|g7_|r�|	jt
d
�|g7_|	jt
d�|g7_|	j�d�|r�|	j�d�|	jgd�7_d|	_|dkr�d|	_|	��d}|dkr�t�dS|dvsk|t
|<|dkr�t||d�t||<t||dt||d<d||f|||d<dt|<q0|dk�r3|}d||f|||d<t|�|d��s2t||d�t||<t||dt||d<dt|<q0|dk�rAd|||d<q0q0q	qdS)z<ask the user about change_hat events (requests to add a hat)�//�
final_name�
change_hatzHIgnoring change_hat event for %s, nested profiles are not supported yet.���FN�
defaulthatz -> ^%s�
XXXINVALIDXXX)�
CMD_ADDHAT�CMD_USEDEFAULTrerzDefault Hat�
Requested Hatrqrrrdre�
PERMITTINGrrfzask_addhat addhatr��%s//%sTzask_addhat default hatrK)r�rRrSr]r3r�r�rr�r��transitionsrrrvrr�rr�
save_profilesr!r�)
�hashlog�aamoder��full_hatr�default_hatr�contextr
r%r8r8r9�
ask_addhat�sp
(�
�

�
����r}cCs�|D�]�}||D�]�}d|||dvr.|||d��r.t�d|||d�q	|}|||dD�]�}|||d|D�]�}d}tj�|�rVtd|��t||s]qEt|dtj	tj
dd	d
�}tt||d|�rtqEd}d}		td�
|d
�}
|
�dd�|
d7}
d}d|
vr�tj�t|d	��r�d}tj�td�t|d	��nd|
vr�d}nd|
vr�d}n	d|
vr�d}nd}t|�}t|�}
|
r�tj�
|
�r�t�t�|
ttj|
���nt�i�t�|d�}t��}|jtd�t ||�g7_|jtd�|g7_|jtd�|g7_d}|j!t"||
|�7_!d}|dv�r�|�#�d}|�$d��rA|}t"||
|�|_!d}�q"|d k�rOt%�dS|dk�sY|d!k�r�|}d}||k�rjt�&td"�d�}|d#k�rz|dk�rwd}n
d$}n
|dk�r�d}nd%}t�'td&�|�}|dk�r�d'}nP|d(v�r�|�d)d�}td*�}|�r�td+�}t�&|d#�}|d#k�r�|�(�}n*|d,k�r�d-}t�&td.�|d�}|d#k�r�t�&td/�d#�}|d#k�r�|�(�}nd0}|dv�s'|�r�d|v�r�d1}	n2|d2k�r&t||d�)t|ddtj
dd	d	d3��d	t*|<|�r%||�
|��r%d|||d<qE|d2k�r�|�r1|}ntj
}t||d�)t||	||dd	d
��d	t*|<d|v�r�t+|�\}}|�r�t|d4dtj
dd5�}t|dd'tj
dd5�}tt||d|��s�t||d�)|�tt||d|��s�t||d�)|�|�r�t,|dd	�}t||d6�-|��s�t||d6�)|�t.t|||�|dk�r�|�r�||�
|��r�||||d<qEt/�0d7|��rE|�r�|}|�r�||�
|��r�||||d<tj�t|d	���sDd#}d|v�rt�&td8�|d�}|d#k�r1d9t1|<|�r't2d|�nt2|d�t3|�qE|�rD||�
|��rD||||d<qE|�$d��sQ|�$d$��r�|�rV|}t|�
|d��s�d#}d|v�rpt�&td8�|d�}|d#k�r�t|�
|d��s�t4|d	�}|||t||<d	t||d:<||k�r�t||d;t||d;<d<t||d;<|�r�||�
|��r�d=||f|||d<qE|�r�||�
|��r�||||d<qE|�$d,��r�qEqEq8q	qdS)>z_ask the user about exec events (requests to execute another program) and which exec mode to userkrl�execzJWARNING: Ignoring exec event in %s, nested profiles are not supported yet.rKz^exec permissions requested for directory %s. This should not happen - please open a bugreport!NFTr�rF�
qualifiers�ipcnurZ�dr'razTarget profile exists: %s
rWrXr`rrb�DENY�xr�Execute�Severity)	rXrar`rbrYr[r\r_rer�CMD_EXEC_IX_rfr\z3Are you specifying a transition to a local profile?rr[rYz%Enter profile name to transition to: r�)rar`rYr[�CMD_z�Should AppArmor sanitise the environment when
switching profiles?

Sanitising environment is more secure,
but some applications depend on the presence
of LD_PRELOAD or LD_LIBRARY_PATH.z�Should AppArmor sanitise the environment when
switching profiles?

Sanitising environment is more secure,
but this application appears to be using LD_PRELOAD
or LD_LIBRARY_PATH and sanitising the environment
could cause functionality problems.r_�uxz�Launching processes in an unconfined state is a very
dangerous operation and can cause serious security holes.

Are you absolutely certain you wish to remove all
AppArmor protection when executing %s ?z�Should AppArmor sanitise the environment when
running this program unconfined?

Not sanitising the environment when unconfining
a program opens up significant security holes
and should be avoided if at all possible.�INVALIDr�re)r�r��denyr�r�r�z^CMD_(px|nx|pix|nix)z;A profile for %s does not exist.
Do you want to create one?r�r�r�r�ru)5r�rRrSr@rA�isdirrr3r)�ANY_EXECr�r�r�r�r�r~r�rT�stdoutrJrvrJr�r6r�sev_db�
set_variables�get_all_merged_variables�include_list_recursive�	rank_pathrr�combine_namerrjrrsrwr	�UI_GetString�
capitalizer�r�r�r*�
is_coveredr�r�r��helpersr3�reload_baser)rxryr�rr��target_profile�to_name�
exec_event�	exec_mode�	file_permrr�parent_uses_ld_xxxr��severityr%rgr
r&�ynans�px_msg�rule_to_namer�r��exec_target_rule�interpreter_rule�abstraction_rule�stub_profiler8r8r9�ask_exec,sR
(









�


�
�6
*
&

�



�



��������r�cCs(t|�}||vr
|�|�|�|�|S)z7Returns the globs in sorted order, more specific behind)r�r�r�)�globsryr8r8r9�order_globss


r�c	
s�t|���D�]b}|dkrt�td��n|dkr!t�td��n
|dkr&nttd�|��t||���D�]1�t��}|rTtj�	|�rTt
�t�|t
tj|���nt
�i�tt�fdd�t||������}||��	�d	�r{�g|}|D]�}t��	|i��	d
��s1|dkr�t�dt�|��q}d}|d
vr�t��}|jtd��g7_||�|dr�|jtd�|g7_|j�d�n|jtd�|g7_|j�d�|jgd�7_d|_|��d}|dkr�dS|d
vs�|dk�rq}||�|d�rt�|d�t�|<dt�|d<nt�|d�t�|<d	t�|d<t�|t�|||�|�t||�|t�|�t�|t�\}}|�r_dt�<|�rgdSq}q6qdS)NrtzComplain-mode changes:�	REJECTINGzEnforce-mode changes:�mergezInvalid mode found: %sc�|�kS�Nr8)�key�r�r8r9�<lambda>;�z#ask_the_questions.<locals>.<lambda>FrFz+Ignoring events for non-existing profile %srK)rq�CMD_ADDSUBPROFILErerr�zRequested Subprofiler�rsrqrdrerrfz2mergeprof ask_the_questions() - missing subprofileTz+mergeprof ask_the_questions() - missing hat)r�r�rRr�rvrr�r6rr�r�r�r�r��list�filterr3r;r<r�rrrr�rrr!�ask_conflict_mode�ask_rule_questionsr#r�)	�log_dictryr��hatsrr
r%�prof_changed�
end_profilingr8r�r9�ask_the_questions'sj
&

�
",
����r�c
CsVd}|D�]!}||jD�]}t|||�rqd}g}t|||�}	t��}
|	r5|ttdd�tt|	����7}|dkrD|j	rD|t
||�7}n|�|���d}|�s%||
_
|d|
_td�|g|
_|
j|��7_|�t�}|tjkr}|
jtd�|g7_t|�|
_d|
_|jd	kr�d
|
_|
��\}
}||}|
dkr�d}�n�|
d
kr�|dfS|
�d�r�|
dkr�d|_d|_nd|_d|_t||�}�n[|
�d�r�|
dkr�d|_d|_nd|_d|_t||�}�n>|
d
k�rBd}d}t |�}|�rt!|||�}|d�"t#�$|��t�%td�|�|�rt�%td�|��nt&||�}||j"|dd�}t�%td�|���|�rAt�%td�|�n�|
dk�r�t |��rRt�'d�n�d}d}t&||�}d|_(d|_||j"|dd�}t�%td�|���|�r�t�%td�|�n�|
dk�r�t |��s�t&||�}|�)�t*||�+��\}}n�|
dk�r�t |��s�t&||�}|�,�t*||�+��\}}ng|
dk�r!t |��s t&||�}|�-�\}}t�.||�}|�r z|�/|�}Wnt0�y�t�'td��YqMw|�std�||d�}t�1|d�}|dk�rqM|�2|�t*||�+��\}}t3|d�t4|<nd}|rPqq|dfS)a� ask questions about rules to add to a single profile/hat

        parameter       typical value
        prof_events     log_dict[aamode][profile][hat]
        profile_name    profile name (possible profile//hat)
        the_profile     aa[profile][hat] -- will be modified
        r_types         ruletypes

        returns:
        changed         True if the profile was changed
        end_profiling   True if the user wants to end profiling
    FrLcS�d|S)Nzinclude <%s>r8)�incr8r8r9r��r�z$ask_rule_questions.<locals>.<lambda>rFrr�rert�	CMD_ALLOW�CMD_IGNORE_ENTRYTrf�	CMD_AUDIT�
CMD_AUDIT_NEWN�	CMD_USER_�CMD_USER_ONr�zAdding %s to profile.z-Deleted %s previous matching profile entries.)�cleanupzADenying via an include file isn't supported by the AppArmor tools�CMD_GLOB�CMD_GLOBEXT�CMD_NEWzDThe path you entered is invalid (not starting with / or a variable)!z�The specified path does not match this log entry:

  Log Entry: %(path)s
  Entered Path:  %(ans)s
Do you really want to use this path?)rAr
r)5�rulesr��match_includesrRrr��mapr��setrA�propose_file_rulesr��	get_cleanrrrvr�logprof_headerr�r��NOT_IMPLEMENTED�available_buttonsrrr�rrs�audit�raw_rule�set_options_audit_moder��set_options_owner_moder�delete_all_duplicatesr�r*�parser��selection_to_rule_objrSr��glob�add_to_options�get_raw�glob_ext�edit_headerr��
validate_editrr	�
store_editr�
user_globs)�prof_events�profile_name�the_profile�r_typesr��ruletype�rule_obj�default_optionr�newincludesr%�doner�r
r�	selectionr��deleted�globbed_rule_obj�
edit_rule_objr��oldpath�newpath�input_matches_path�ynpromptr�r8r8r9r�qs�








�
�


�


�


�


�

����r�cCst|�}|�|�Sr�)�typer�)r�r��	rule_typer8r8r9r�s
r�cC�t||d�S)z~change audit state in options (proposed rules) to audit state in rule_obj.
       #include options will be kept unchanged
    r���set_options_mode�r�rr8r8r9r��r�cCr�)z~change owner state in options (proposed rules) to owner state in rule_obj.
       #include options will be kept unchanged
    r�r�r�r8r8r9r�r�r�cCstg}|D]3}t|�r|�|�qt||�}|dkr|j|_n|dkr'|j|_ntd|��d|_|�|���q|S)zH helper function for set_options_audit_mode() and set_options_owner_moder�r�z2Unknown "what" value given to set_options_mode: %sN)rr�r�r�r�rr�r�)r�r�what�new_options�rule�parsed_ruler8r8r9r�$s


r�cCs�g}|js
|dg7}|ddg7}|jr|dg7}|jr |dg7}|jr(|dg7}|jr1|dg7}n|dg7}|jrG|jrB|d	g7}n|d
g7}|ddg7}|S)
Nr�rer�r�r�r��
CMD_AUDIT_OFFr��CMD_USER_OFFr�rrf)r��can_glob�can_glob_ext�can_editr��	can_ownerr�)r��buttonsr8r8r9r�9s&





r�cCs(||vr	|�|�|�|�d}||fS)NrL)r�r)rr�r�r8r8r9r�Ys
r�cCs<d}t�|d�r|D]}|||�t|||�7}q
|S)NrF)r5r��delete_duplicates)r��incnamer�r�r�r8r8r9r�`s
 r�cCs|djD]�}|d�|�}|jr�t��}td�|jjg|_|jtd�dg7_g}|�|�	��|jD]	}|�|�	��q5||_
ddg|_d}	|	s�|��\}
}|
dkr�|dkrZn|dkrr|d�
|�|d�|j|d	�nttd
���|jD]	}|d�
|�q{d}	|	rKqdS)
z%ask user about conflicting exec rulesrF�PathzSelect the appropriate moderKr�rFrrLzUnknown selectionTN)r��get_exec_conflict_rulesrRrrvrA�regexrr�r�rrrr;r�r)r�r�old_profile�
merge_profile�oldrule�conflictingrulesr%rr�r�r
rr8r8r9r�ks8


���r�cCs�g}t��D]F}|�tdd�}|�d�rd}nd}|r(|d�t|d|��r(q|�d�r.qt|�rLt|||�|�rLt||ddkrL|�|�q|S)	z� propose abstractions that allow the given rule_obj

        Note: This function will return relative paths for includes inside profile_dir
    rqrKFTr�zlocal/�logprof_suggest�no)	r5r�r�r�rsr�r*�
valid_includer�)r�r�r�r�r�rel_incname�is_magicr8r8r9r��s


�r�cCsrtddrtdd��D]	}||krdSq|�d�r*tj�tj�t|��r*dS|�d�r7tj�|�r7dSdS)zM check if the given include file exists or is whitelisted in custom_includes r��custom_includesTz
abstractions/rqF)r�r]rsr@rArBrPr�)r�incmr8r8r9r�s� rcCs~|r|andtdvrt�tdd�pdandatj�t�s/|r)ttd�t��tdt��tj�	t�r=ttd�t��dS)zj set logfile to a) the specified filename or b) if not given, the first existing logfile from logprof.conf�logfilesr�z/var/log/syslogz5The logfile %s does not exist. Please check the path.z5Can't find system log "%s". Please check permissions.z3%s is a directory. Please specify a file as logfileN)
�logfiler�r�r�r@rAr~rrvr�)r�r8r8r9�set_logfile�s�rcCspt�td�t�tstj�tdtd��atj	�
ttt�}|�
|�}t|�t|�t|�}t|�t�dS)NzReading log entries from %s.z/severity.db�unknown)rRr�rvrr��apparmorr�r��CONFDIR�	logparser�ReadLogr6r��read_logr�r}�collapse_logr�rw)�logmark�
log_readerrxr�r8r8r9�do_logprof_pass�s

rcCs�t��D]}t�|d�std|�td�t�|�qtt���}|r�t��}d|_	t
d�|_gd�|_|r<gd�|_d|_
d	|_d
}d}|dkr�tsNdStt���}||_|��\}}||_||}|dkrtt|�t|�d	|_nY|dkr�d}t||�d
d�r�t||d
}nt|d�}ddi}	tt|||	�}
tj||
dd�n&|dkr�tt||i�}tt||i�}
t�||
�n|dkr�t�||�|dksJtt���D]}t|�t|�q�dSdS)NFz *** save_profiles(): removing %sz4*** This should not happen. Please open a bugreport!zChanged Local ProfileszGThe following local profiles were changed. Would you like to save them?)�CMD_SAVE_CHANGES�CMD_SAVE_SELECTED�CMD_VIEW_CHANGES�CMD_VIEW_CHANGES_CLEANr)r r"rr�r"rrKr r!r�T�METADATA)�commentsr#r�)r�r�r3r��printr�r�rRr�titlerv�explanationrrrrrr/r�r�r�
UI_Changesr7)�is_mergeprofr �changed_listr%r
r&rrj�
oldprofile�serialize_options�
newprofiler�r8r8r9rw�sd
�



�&
�1rwTc&Cs�t�}|��D�]�}||��D�]�}|||ddkrqd|||dvr+|r+qt|||d�\}}d}t�|�rGt|�|�rGd}	|||�|�s]t||d�||||<|||d��D]P}|||d|D]C}	t|||d||	���}
d|
vr�d	|
vr�|
�d�t||
dtj	|	dd
�}|r�t
t||d|�s�||||d�|�qsqg|||d��D]!}t|dd
�}
|r�t
t||d|
�s�||||d�|
�q�|||d��D]&}t
dt
j	|dd
�}|�rt
t||d|��s||||d�|�q�|||d}|D]�}||D]�}|||D]�}||||D]�}|||||D]�}||||||D]z}|||||||D]h}|dv�rxt|||tj	||tj	|dd
�	}n5|dk�r�t||tj	|tj	tj	tj	tj	dd
�	}n|dk�r�t||tj	tj	tj	tj	tj	tj	dd
�	}ntd��|�r�t
t||d|��s�||||d�|��qa�qQ�qC�q7�q-�q%�q|||d}|��D]/}||��D]%}t||dd
�}|�rt
t||d|��s||||d�|��q�q�|||d}|��D]/}||��D]%}t||dd
�}|�r=t
t||d|��sJ||||d�|��q&�q|||d}|��D]<}||��D]2}|||��D]&} t|| |dd
�}!|�r�t
t||d|!��s�||||d�|!��ql�qb�qZ|||d}"|"��D]>}|"|��D]4}#|"||#��D](}$t||#tj	|$dd
�}%|�r�t
t||d|%��s�||||d�|%��q��q��q�qq|S)NrlrKz//null-FTzcollapse_log()rA�ar7r�rF�
capability)r��change_profile�dbus)�send�receive�bind�	eavesdropzunexpected dbus access: %s�network�ptrace�signal�mqueue)rr�rr3r�r!r�r�r)r�r�r�r&r'r(rr+r,r.r0)&rx�ignore_null_profilesr�ry�full_profiler�r�
hat_existsrAr��mode�
file_event�cap�	cap_event�cp�cp_eventr2rl�busr��	interface�member�peer_profile�
dbus_event�nd�family�	sock_type�	net_eventr8�peer�ptrace_event�sigr9�signal_eventr:�mqueue_type�mqueue_name�mqueue_eventr8r8r9r)s� 
��
�� 
 
&
(�������������������drcCst�d|�rdSdS)Nz?^(.*/)?(disable|cache|cache\.d|force-complain|lxc|abi|\.git)/?$TF)r�r�)rAr8r8r9�is_skippable_dir�srTcCs�t�at�a|rt�td�t�zt�t�Wnt	td�t�Yt�t�D]}tj
�t|�}tj
�|�rCt
|�r>q*t|d�q*dS)Nz!Updating AppArmor profiles in %s.�"Can't read AppArmor profiles in %sT)rr3r7rRr�rvr�r@�listdirrXrArPrBr�read_profile)�ui_msgrF�	full_filer8r8r9�
read_profiles�s 
��rZcCs�ttd�rdSdt_tj�t�sdSzt�t�Wnt	t
d�t�Yt�t�D]}tj�t|�}tj�|�rDt
|�r?q+t|d�q+dS)N�already_readTrUF)�hasattrr*r[r@rAr~�extra_profile_dirrVr�rXrvrPrBrrW)rFrYr8r8r9r*�s"

��r*c

Cs�d}zt|��}|��}Wd�n1swYWn#ty?}zt�d||f�t�d|�WYd}~dSd}~wwt||d�}|r�|r�tt	|�tt
|�|D]0}|||d}|||d}|||d}	|s|�d�rt�
|	||�qVt�
|	||�qVdS|r�tt|�|D]2}|||d}|||d}|||d}	|s�|�d�r�t�
|	||�q�t�
|	||�q�dSdS)Nz0WARNING: Error reading file %s, skipping.
    %sz&read_profile: can't read %s - skippingrr�r)r�rq)r	�	readlines�IOErrorrRrSr;r<�parse_profile_datar+r3r7rsr6r,r�extra_profiles)
rF�active_profile�datarHr�r
r�r�r)r�r8r8r9rW�sF

����

�

�rWcCs�|��D];}|�|d�r7||��D]$}||�|d�r6ttd�t||�|||d|||df��qt||�||<qdS)NFz;Conflicting profiles for %s defined in two files:
- %s
- %sr�)r�r�rrvr�r)�profilesr
r'rr8r8r9r+�s&���r+cCs�t||�}|r6|dsttd�|||dd���||kr+ttd�|||dd���|d}d}d}d}n1|d}t|�d	��d
krLtd||d���t|�d	��d
kr_|�d	�\}}d}n|}d}d}d}|d
}	|d}
|d}|||	||
|||fS)Nr>zc%(profile)s profile in %(file)s contains syntax errors in line %(line)s: missing "profile" keyword.rL)r�rFrIz�%(profile)s profile in %(file)s contains syntax errors in line %(line)s: a child profile inside another child profile is not allowed.r�TFrkr\zeNested child profiles ('%(profile)s', found in %(file)s) are not supported by the AppArmor tools yet.)r�rFr)r�r@)rrrvr^r])rIrF�linenor�rr4�in_contained_hat�pps_set_profile�pps_set_hat_externalr)r�r@r8r8r9�parse_profile_start�s8


�

�ric$	Cspt�}d}d}d}g}d}d}	|r'|}|}t||d�|||<||||d<t|�D�],\}
}|��}|s7q+|	rAd|	|f}d}	t�|�r�t|||
||�\}}}}
}}}}||�|d�rmtd||
dt	||�d���t||d	�|||<|r�||||d
<|r�d|||d<|r�d|||d
<||||d<||||d<|
|||d<||||d<|r�||||d<d}q+t
�|�r�|s�ttd�||
dd���|r�|}d}n|�|�d}d}q+t
�|��r|s�ttd�||
dd���|||d�t
�|��q+t�|��r0|�s!ttd�||
dd���|||d�t�|��q+t�|��rS|�rI|�sIttd�||
dd���t�|t�|��q+t�|��rx|�sittd�||
dd���|||d�t�|��q+t�|��r�t�|���}|�r�|�s�ttd�||
dd���|d}|d}||||d|<q+t�|��r�|�r�|�s�ttd�||
dd���t�|t�|��q+t�|��r�q+t�|��r�q+t�|��r�q+t�|��r|�r�|||d�t�|��q+t�|t�|��q+t�|��rCt�|�}|�r|||d �|�nt� ||�|�!t"�D]}||k�r<t#�$td!|���q*t%|��q*q+t&�|��rh|�sYttd"�||
dd���|||d#�t&�|��q+t'�|��r�|�s~ttd$�||
dd���|||d%�t'�|��q+t(�|��r�t(�|���}|�s�ttd&�||
dd���d}|d�r�d}d'}|d�r�|d��d(k�r�d(}|d)}t)|�}||_*|d(k|_+||||�d*t,��}|�|�|||||d*<q+t-�|��r|�sttd+�||
dd���|||d,�t-�|��q+t.�|��r<|�s-ttd-�||
dd���|||d.�t.�|��q+t/�|��ra|�sRttd/�||
dd���|||d0�t/�|��q+t0�|��r�t0�|���}|�s~ttd1�||
dd���d}|d�r�d}d'}|d�r�|d��d(k�r�d(}|d)��}t1|�}||_*|d(k|_+||||�d2t,��}|�|�|||||d2<q+t2�|��r/t2�|���}|�s�ttd3�||
dd���d}|d�r�d}d'}|d�r|d��d(k�rd(}|d)��}t3|�}||_*|d(k|_+||||�d4t,��} | �|�| ||||d4<q+t4�|��r^t4�|���}|�sLttd5�||
dd���t#�$td6�|d||
dd7��q+t5�|��r�t5�|�}|�syttd8�||
dd���d}|�6d9�}t7|�}||�|d��r�|�s�td||
dt	||�d���||�|d��s�t||d:�|||<||||d<|�6d�}||||d<|�r�||||d<d}q+|dd;k�r|�s�|�8d<��r�q+||d=}|�8d>��r
|�9�}!t:|!�d)k�r|!d)|||d?<||d=}q+t;�|��r3|�s$ttd@�||
dd���|||dA�t;�|��q+t<�|��sKt=�|��rHt=�|��6dB�}	q+|}	q+ttdC�||
d|dD���|	�rjttdC�||
d|	dD���|�s�t>dE�?�D]1}"t@|�D])}#tA�|"|#��r�t>dE|"�9�D]}||#�|d��s�t|#|dF�||#|<�q��qy�qs|�r�|�s�ttdG�||dH���|S)INrKzparse_profile_data() do_includer�z%s %sFzJProfile %(profile)s defined twice in %(file)s, last found in line %(line)srL)rFrIr�z"parse_profile_data() profile_startr)Tr��externalr�r@r��initial_commentzPSyntax Error: Unexpected End of Profile reached in file: %(file)s line: %(line)s)rFrIzPSyntax Error: Unexpected capability entry found in file: %(file)s line: %(line)sr0zTSyntax Error: Unexpected change profile entry found in file: %(file)s line: %(line)sr1z_Syntax Error: Unexpected alias definition found inside profile in file: %(file)s line: %(line)szLSyntax Error: Unexpected rlimit entry found in file: %(file)s line: %(line)s�rlimitzaSyntax Error: Unexpected boolean definition found inside profile in file: %(file)s line: %(line)sr�lvarzbSyntax Error: Unexpected variable definition found inside profile in file: %(file)s line: %(line)s�abir�z8WARNING: endless loop detected: file %s includes itsselfzMSyntax Error: Unexpected network entry found in file: %(file)s line: %(line)sr7zJSyntax Error: Unexpected dbus entry found in file: %(file)s line: %(line)sr2zKSyntax Error: Unexpected mount entry found in file: %(file)s line: %(line)s�allowr�r\�mountzLSyntax Error: Unexpected signal entry found in file: %(file)s line: %(line)sr9zLSyntax Error: Unexpected ptrace entry found in file: %(file)s line: %(line)sr8zLSyntax Error: Unexpected mqueue entry found in file: %(file)s line: %(line)sr:zPSyntax Error: Unexpected pivot_root entry found in file: %(file)s line: %(line)s�
pivot_rootzJSyntax Error: Unexpected unix entry found in file: %(file)s line: %(line)s�unixzVSyntax Error: Unexpected change hat declaration found in file: %(file)s line: %(line)szfIgnoring no longer supported change hat declaration "^%(hat)s," found in file: %(file)s line: %(line)s)rrFrIzNSyntax Error: Unexpected hat definition found in file: %(file)s line: %(line)srzparse_profile_data() hat_def�#z# Last Modified:r�z# LOGPROF-SUGGEST:rzJSyntax Error: Unexpected path entry found in file: %(file)s line: %(line)srF�not_commentzOSyntax Error: Unknown line found in file %(file)s line %(lineno)s:
    %(line)s)rFrerIr�z"parse_profile_data() required_hatsz_Syntax Error: Missing '}' or ','. Reached end of file %(file)s while inside profile %(profile)srD)Brr!�	enumerater�rr�rir�rr�rrvr�r&r�r�r�r'r%r6�	add_aliasr-rr�r/�add_variablerrrr$r-r*r.�get_full_pathsr�rRrS�load_includer+r(r�parse_mount_ruler�r�r�r.r,r0r�parse_pivot_root_ruler�parse_unix_rulerrrIrrsr]r^r)rrr�r�r�r�)$rcrF�
do_includer
r�rrf�parsed_profilesrk�lastlinererIr)r@r�rgrhr4�bool_var�valuer�rr�rorp�
mount_rule�mount_rulesrq�pivot_root_rule�pivot_root_rulesrr�	unix_rule�
unix_rules�partsr�parsed_profr8r8r9r`s�
 �


�
�
�

�









�

�
���r`cC�
t�|�Sr�)�aarules�Raw_Mount_Rule�rIr8r8r9rzh�
rzcCr�r�)r��Raw_Pivot_Root_Ruler�r8r8r9r{lr�r{cCr�r�)r��
Raw_Unix_Ruler�r8r8r9r|pr�r|cCs�dt|d�}g}|}t|�}d}|drdt|d�}d}	|dr*d|d}	|s2t�d|�sB|r:t�d|�sB|dsB|d	rHd
||f}d}
|drTd|d}
d}|rb|d
rbd|d
}|�d|||
||	f�|S)N� r\rKr)rCrAz^[^/]z^[^^]r>zprofile %s%sr@z xattrs=(%s)r�z flags=(%s)z%s%s%s%s {%s)�intr1r�r�r�)�	prof_data�depthr��embedded_hat�write_flags�prerc�
unquoted_namer)r?r@r�r8r8r9rHts(0rHcs�d|}g}d}d}�|kr�}n
�d|}|�d}|t|�||d|�7}||��|d�7}d|d}	|s�tt�fdd�t|�����D]D}
||
ds�|�d	�||
d
rk|t||
|d|
d|�7}n|t||
|dd|
d|�7}|||
�|d�7}|�d
|	�qI|�d
|�tt�fdd�t|�����D]+}
�|kr�||
�dd�r�|�d	�|ttdd�t	||d�||���7}|�d�q�|S)Nz  FrkTrLcr�r�r8�r��r�r8r9r��r�zwrite_piece.<locals>.<lambda>rjrKr��^r\z%s}cr�r�r8r�r�r8r9r��r�cSr�)Nz  %sr8r�r8r8r9r��r�z  })
rH�get_rules_cleanr�r�r�r�r�r�r��write_piece)r
r�r��nhatr�r�rc�wname�inhat�pre2rr8r�r9r��s<"
 �"
&
�r�c
CsLd}g}t|�turtd|��|�dd�}|�dd�}|r$dt��}|�d�r/t|d�}nt|d�}|t�	|d	�7}t
t�|��D]W}||krut||�d
d�rht||d
}	|	�
dd�||	dg7}|tt|d	|||�7}qC||�d
d�r�||d
}	|	�
dd�||	dg7}|t|d	|||�7}qC|d�|�7}|dS)
NrKz.serialize_profile(): options is not a dict: %sr$F�FLAGSTz# Last Modified: %s
�
is_attachmentrrkz\nr�)r�r4rr��time�asctimer�r�r6r�r��profiles_in_filer7r�r�rP)
r
r�r�stringrc�include_metadata�
include_flagsr�rr?r8r8r9r�s4

rcCs t�td�|�t||�dS)NzWriting updated profile for %s.)rRr�rv�
write_profile)r�r�r8r8r9r/�sr/cCs�d}t||�dd�rt||d}n
|rt|d�}nt|d�}tjdddtd�}tj�	|�r9t
�||j�n	d|d�}t
t|||�}|�|�|��t�|j|�|tvrat�|�nt�d|�tt|�t|<dS)	Nr�FTr7r8)r:r;r<)r$r�z<Unchanged profile written: %s (not listed in 'changed' list))r3r�r�r�rErFr�r@rAr~rirGr�rrJ�closerKr�r�r;�inforr7)r�r�r��newprofr-�profile_stringr8r8r9r��s&


r�cCsv|d�t�}g}|r9|�d�}||vrq	|�|�t||djD]}|�t�D]}||vr5||g7}q*q#|s|S)z@ get a list of all includes in a profile and its included files r�r)�get_all_full_pathsr�r�r�r5r�rx)r��includelist�	full_listr�childinc�
childinc_filer8r8r9r�
	s


���r�cCsT|�|d�r||�|d�rdSt|�}|D]}t|||�|d�r'dSqdS)NFT)r�r�r�r5)r�r�r�r�rr8r8r9r�	s�r�cCs�|d�|||�}t|�}|D]R}t||d�|||�}dD]2}dD]-}	|||	D]}
|||	�|
�q,d|||	vrQd|||	vrQ|||	�d�q$q |dD]	}|d�|�qWq|S)z.get the current permissions for the given pathrF)ror�)�allr�r/r7�paths)�get_perms_for_pathr�r5r�r�)r�rAr�r��permsr�r�incperms�
allow_or_deny�owner_or_all�perm�incpathr8r8r9�get_file_perms,	s  ���r�c
Csg}|jj}t|�}t||jdd�}|ddD]}|j�|�d|_qd|jvr4d|jvr4|j�d�|h|dBtt	|��B}t
D]}t
|�|�rQ|�|�qCt||�}|D]}	|�
|	�d|_|�|���qYd|_||_|j|jkr~|j|_d|_|S)a	Propose merged file rules based on the existing profile and the log events
       - permissions get merged
       - matching paths from existing rules, common_glob() and user_globs get proposed
       - IMPORTANT: modifies rule_obj.original_perms and rule_obj.permsFror�Nr/r7r�)rArrr�r�r�r�r�r�r�r�r�r�r�r�r��
exec_perms�original_perms)
�profile_objr�rry�merged_rule_obj�existing_permsr��pathlist�	user_globrAr8r8r9r�C	s2
�

r�cCs0t�sdSt|d�}tjd|ttfdd�dS)NTz%cat '%s' | %s -I%s -r >/dev/null 2>&1)�shell)rdr�r��call�parserr�)rr�r8r8r9r�l	s
r�cCst|�}|sdSt|�Sr�)r�r�)rr8r8r9�reloadu	sr�cCsng}|�d�stj�t|�}tj�|�r/t|��
}|��}Wd�|S1s(wY|Stt	d�|��)NrqzFile Not Found: %s)
rsr@rArPr�r~r	r^rrv)r�rcrHr8r8r9�get_include_data|	s



���r�cCsd|�d�std|��g}t�|�D]}|��}t|�rqtj�||�}tj�|�r/|�	|�q|S)z`returns a list of files in the given include_name directory,
       except skippable files.
    rq�incfile %s not starting with /)
rsrr@rVr�rrArPrBr�)�include_namerrA�	file_namer8r8r9�include_dir_filelist�	s

�r�cCs�|g}|rK|�d�}|�d�std|��t�|i��|d�r n)tj�|�r6t|�}t	||d�}t
t|�ntj�|�rC|t|�7}nt
d|��|sdS)Nrrqr�FTzInclude file %s not found)r�rsrr5r�r@rArBr�r`r+r�r�r)r�load_includeslist�incfilerc�incdatar8r8r9ry�	s 

�rycCs4td�|d�rtd|dkrttd�|�dS)NrFr'aq%s is currently marked as a program that should not have its own
profile.  Usually, programs are marked this way if creating a profile for 
them is likely to break the rest of the system.  If you know what you're
doing and are certain you want to create a profile for this program, edit
the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf.)r�r�rXrv)r�r8r8r9�check_qualifiers�	sr�cCs.tjdkrt�|���dSt�|���dS)zAReturns a list of all directories directly inside given directory)rerrL)rTrhr@�walk�next�__next__)�current_dirr8r8r9�get_subdirectories�	s
r�cCsttt�}|D]1}t|�r
qt�tj�t|��D]\}}}t|�r!q|D]}t|�r*q#tj�||�}t|�q#qqdSr�)	r�r�rTr@r�rArPrry)�incdirs�idir�dirpathr�r�fir8r8r9�loadincludes�	s
���r�cCs�g}t�d|�st�d|�r'|}t�dd|�}t�dd|�}||kr'|�|�tdD]}t�||�rI|}t�|td||�}||krI|�|�q+tt|��S)Nz[\d\.]+\.so$z\.so\.[\d\.]+$z*.soz.so.*r�)r�r�r�r�r�r�r�)rAr��libpathr��globbedpathr8r8r9r��	s

�r�cCs||kr|Sd||fS)Nz%s^%sr8)�name1�name2r8r8r9r��	sr�cCs@t�tdd�p
d}tj�|�rt�|tj�std|��|S)Nr��loggerz/bin/loggerz[Can't find logger!
Please make sure %s exists, or update the 'logger' path in logprof.conf.)	r�r�r�r@rArBrlr�r)r�r8r8r9�logger_path�	sr��
/etc/apparmorcCs�trdS|atj�dt�at�d�at��s t�d�t�d�td�	dd�r.dtdd<|r3|a
nt�td�	d��p>d	a
tj
�t
�a
tj
�t
�sQtd
t
��t�td�	d��p\dat�td�	d
��phdatj
�t�rvt�ttj�s|tdt��dS)N�inizlogprof.confr�r��default_owner_promptFrK�
profiledirz/etc/apparmor.dz"Can't find AppArmor profiles in %s�inactive_profiledirz#/usr/share/apparmor/extra-profiles/r�z/sbin/apparmor_parserz Can't find apparmor_parser at %s)rr�config�Configr��read_configr��sections�add_sectionr�r��find_first_dirr@rA�abspathr�rr]r�r�rBrlr�)�confdirr�r8r8r9�init_aa�	s*


�r�)rYrZ)F)rK)T)r�N)��
__future__rrr@r�rir�rTr�rM�atexitrE�apparmor.configr�apparmor.logparser�apparmor.severity�copyr�
apparmor.aarer�apparmor.commonrrrr	r
rrr
rr�apparmor.ui�uirR�apparmor.regexrrrrrrrrrrrrrrrr�apparmor.profile_listr �apparmor.profile_storager!r"r#�apparmor.rulesr�r��apparmor.rule.abir$�apparmor.rule.aliasr%�apparmor.rule.capabilityr&�apparmor.rule.change_profiler'�apparmor.rule.dbusr(�apparmor.rule.filer)�apparmor.rule.includer*�apparmor.rule.networkr+�apparmor.rule.ptracer,�apparmor.rule.rlimitr-�apparmor.rule.signalr.�apparmor.rule.variabler/�apparmor.rule.mqueuer0�
apparmor.ruler1�apparmor.translationsr2rvr;r�rrr�r�r�r�r]r4r5r6rar�rvr3r7rr�r�r�r:r>�registerrJrXrdrjr}r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrrr(r3r6r�rVrjr}r�r�r�r�r�r�r�r�r�r�r�r�r�rrrrwrrTrZr*rWr+rir`rzr{r|rHr�rr/r�r�r�r�r�r�r�r�r�ryr�r�r�r�r�r�r�r8r8r8r9�<module>s 0H	





	

&+

1&B)DnJ$ !


?j
'
%K)
,
 )	
@ Telegram