mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/aa-easyprof

117 lines
4.4 KiB
Text
Raw Permalink Normal View History

Switch utils to python3 As discussed a while ago, switch the utils (including their tests) to use python3 by default. While on it, drop usage of "env" to always get the system python3 instead of a random one that happens to live somewhere in $PATH. In practise, this patch doesn't change much - AFAIK openSUSE, Debian and Ubuntu already patch aa-* to use python3. Also add a note to README to officially deprecate Python 2.x. (I won't break Python 2.x support intentionally - unless some future change gives me a very good reason to finally drop Python 2.x support.) Acked-by: Seth Arnold <seth.arnold@canonical.com> (since 2016-08-23, but the commit had to wait for the FileRule series because it touches test-file.py)
2016-10-01 20:57:09 +02:00
#! /usr/bin/python3
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
# ------------------------------------------------------------------
#
update copyright year for modified files
2015-03-26 17:14:52 -05:00
# Copyright (C) 2011-2015 Canonical Ltd.
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
import apparmor.easyprof
utils: Use apparmor.fail for AppArmorException handling in aa-easyprof Don't catch AppArmorExceptions in aa-easyprof any longer and rely on apparmor.fail to print the exception to stderr. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2015-12-16 16:12:43 -06:00
from apparmor.easyprof import error
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
import os
import sys
Improve exception handling Instead of always showing a backtrace, - for AppArmorException (used for profile syntax errors etc.), print only the exceptions value because a backtrace is superfluous and would confuse users. - for other (unexpected) exceptions, print backtrace and save detailed information in a file in /tmp/ (including variable content etc.) to make debugging easier. This is done by adding the apparmor.fail module which contains a custom exception handler (using cgitb, except for AppArmorException). Also change all python aa-* tools to use the new exception handler. Note: aa-audit did show backtraces only if the --trace option was given. This is superfluous with the improved exception handling, therefore this patch removes the --trace option. (The other aa-* tools never had this option.) If you want to test the behaviour of the new exception handler, you can use this script: #!/usr/bin/python from apparmor.common import AppArmorException, AppArmorBug from apparmor.fail import enable_aa_exception_handler enable_aa_exception_handler() # choose one ;-) raise AppArmorException('Harmless example failure') #raise AppArmorBug('b\xe4d bug!') #raise Exception('something is broken!') Acked-by: Seth Arnold <seth.arnold@canonical.com>
2015-07-06 22:02:34 +02:00
# setup exception handling
from apparmor.fail import enable_aa_exception_handler
enable_aa_exception_handler()
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
if __name__ == "__main__":
def usage():
'''Return usage information'''
return 'USAGE: %s [options] <path to binary>' % \
os.path.basename(sys.argv[0])
make parser optional
2012-05-09 22:56:53 -07:00
(opt, args) = apparmor.easyprof.parse_args()
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
binary = None
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
manifest = None
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
m = usage()
if opt.show_policy_group and not opt.policy_groups:
error("Must specify -p with --show-policy-group")
elif not opt.template and not opt.policy_groups and len(args) < 1:
error("Must specify full path to binary\n%s" % m)
binary = None
if len(args) >= 1:
binary = args[0]
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
# parse_manifest() returns a list of tuples (binary, options). Create a
# list of these profile tuples to support multiple profiles in one manifest
profiles = []
if opt.manifest:
try:
# should hide this in a common function
if sys.version_info[0] >= 3:
f = open(opt.manifest, "r", encoding="utf-8")
else:
f = open(opt.manifest, "r")
manifest = f.read()
except EnvironmentError as e:
error("Could not read '%s': %s (%d)\n" % (opt.manifest,
os.strerror(e.errno),
e.errno))
profiles = apparmor.easyprof.parse_manifest(manifest, opt)
else: # fake up a tuple list when processing command line args
profiles.append( (binary, opt) )
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
count = 0
for (binary, options) in profiles:
if len(profiles) > 1:
count += 1
utils: Use apparmor.fail for AppArmorException handling in aa-easyprof Don't catch AppArmorExceptions in aa-easyprof any longer and rely on apparmor.fail to print the exception to stderr. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2015-12-16 16:12:43 -06:00
easyp = apparmor.easyprof.AppArmorEasyProfile(binary, options)
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
if options.list_templates:
apparmor.easyprof.print_basefilenames(easyp.get_templates())
sys.exit(0)
elif options.template and options.show_template:
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy
2015-03-26 16:59:05 -05:00
sys_t = os.path.join(easyp.dirs['templates'], options.template)
inc_t = None
if options.include_templates_dir:
inc_t = os.path.join(easyp.dirs['templates_include'],
options.template)
if os.path.exists(sys_t):
apparmor.easyprof.print_files([sys_t])
elif os.path.exists(inc_t):
apparmor.easyprof.print_files([inc_t])
else:
error("Could not find '%s'" % options.template)
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
sys.exit(0)
elif options.list_policy_groups:
apparmor.easyprof.print_basefilenames(easyp.get_policy_groups())
sys.exit(0)
elif options.policy_groups and options.show_policy_group:
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy
2015-03-26 16:59:05 -05:00
files = []
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
for g in options.policy_groups.split(','):
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy
2015-03-26 16:59:05 -05:00
sys_g = os.path.join(easyp.dirs['policygroups'], g)
inc_g = None
if options.include_policy_groups_dir:
inc_g = os.path.join(easyp.dirs['policygroups_include'], g)
if os.path.exists(sys_g):
files.append(sys_g)
elif os.path.exists(inc_g):
files.append(inc_g)
else:
incorporate feedback from Seth Arnold: - fix typo in comment - error() instead of warn() if can't find specified group
2015-03-28 07:16:22 -05:00
error("Could not find '%s'" % g)
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy
2015-03-26 16:59:05 -05:00
apparmor.easyprof.print_files(files)
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
sys.exit(0)
elif binary == None and not options.profile_name and \
not options.manifest:
error("Must specify binary and/or profile name\n%s" % m)
params = apparmor.easyprof.gen_policy_params(binary, options)
if options.manifest and options.verify_manifest and \
not apparmor.easyprof.verify_manifest(params):
error("Manifest file requires review")
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com>
2012-05-07 22:37:48 -07:00
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com>
2014-02-13 17:53:40 -08:00
if options.output_format == "json":
sys.stdout.write('%s\n' % easyp.gen_manifest(params))
else:
params['no_verify'] = options.no_verify
utils: Use apparmor.fail for AppArmorException handling in aa-easyprof Don't catch AppArmorExceptions in aa-easyprof any longer and rely on apparmor.fail to print the exception to stderr. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2015-12-16 16:12:43 -06:00
easyp.output_policy(params, count, opt.output_directory)
Reference in a new issue Copy permalink