apparmor/utils/aa-logprof

#! /usr/bin/python3
# ----------------------------------------------------------------------
#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License as published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
# ----------------------------------------------------------------------
import argparse

import apparmor.aa as apparmor
import apparmor.ui as aaui
from apparmor.common import AppArmorException
from apparmor.fail import enable_aa_exception_handler
from apparmor.translations import init_translation

enable_aa_exception_handler()  # setup exception handling
_ = init_translation()  # setup module translations

parser = argparse.ArgumentParser(description=_('Process log entries to generate profiles'))
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
parser.add_argument('-m', '--mark', type=str, help=_('mark in the log to start processing after'))
parser.add_argument('-j', '--json', action='store_true', help=_('Input and Output in JSON'))
parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS)
args = parser.parse_args()

logmark = args.mark or ''

apparmor.init_aa(confdir=args.configdir, profiledir=args.dir)

if args.json:
    aaui.set_json_mode(apparmor.cfg)

apparmor.set_logfile(args.file)

aa_mountpoint = apparmor.check_for_apparmor()
if not aa_mountpoint:
    raise AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))

apparmor.loadincludes()

apparmor.read_profiles(True)
apparmor.do_logprof_pass(logmark)
Switch utils to python3 As discussed a while ago, switch the utils (including their tests) to use python3 by default. While on it, drop usage of "env" to always get the system python3 instead of a random one that happens to live somewhere in $PATH. In practise, this patch doesn't change much - AFAIK openSUSE, Debian and Ubuntu already patch aa-* to use python3. Also add a note to README to officially deprecate Python 2.x. (I won't break Python 2.x support intentionally - unless some future change gives me a very good reason to finally drop Python 2.x support.) Acked-by: Seth Arnold <seth.arnold@canonical.com> (since 2016-08-23, but the commit had to wait for the FileRule series because it touches test-file.py) 2016-10-01 20:57:09 +02:00			`#! /usr/bin/python3`
Added license headers 2013-09-28 20:43:06 +05:30			`# ----------------------------------------------------------------------`
			`# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License as published by the Free Software Foundation.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# ----------------------------------------------------------------------`
Some code for logprof 2013-08-06 01:53:28 +05:30			`import argparse`
Merged aa-audit, aa-autodep, aa-complain, aa-disable, aa-enforce to share the common code into a tools.py module. Added -r/--remove feature to aa-complain, aa-enforce, aa-audit and -r/--revert feature to aa-disable. Some other fixes from review 48..51 2013-08-26 00:23:59 +05:30
			`import apparmor.aa as apparmor`
json support for logprof and genprof From: Goldwyn Rodrigues <rgoldwyn@suse.com> Provides json support to tools in order to interact with other utilities such as Yast. The JSON output is one per line, in order to differentiate between multiple records. Each JSON record has a "dialog" entry which defines the type of message passed. A response must contain the "dialog" entry. "info" message does not require a response. "apparmor-json-version" added in order to identify the communication protocol version for future updates. This is based on work done by Christian Boltz. Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Acked-by: Christian Boltz <apparmor@cboltz.de> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-06-15 18:22:43 +02:00			`import apparmor.ui as aaui`
import AppArmorException from apparmor.common ... instead of indirectly using the one imported into apparmor.aa 2021-08-24 22:31:11 +02:00			`from apparmor.common import AppArmorException`
Improve exception handling Instead of always showing a backtrace, - for AppArmorException (used for profile syntax errors etc.), print only the exceptions value because a backtrace is superfluous and would confuse users. - for other (unexpected) exceptions, print backtrace and save detailed information in a file in /tmp/ (including variable content etc.) to make debugging easier. This is done by adding the apparmor.fail module which contains a custom exception handler (using cgitb, except for AppArmorException). Also change all python aa-* tools to use the new exception handler. Note: aa-audit did show backtraces only if the --trace option was given. This is superfluous with the improved exception handling, therefore this patch removes the --trace option. (The other aa-* tools never had this option.) If you want to test the behaviour of the new exception handler, you can use this script: #!/usr/bin/python from apparmor.common import AppArmorException, AppArmorBug from apparmor.fail import enable_aa_exception_handler enable_aa_exception_handler() # choose one ;-) raise AppArmorException('Harmless example failure') #raise AppArmorBug('b\xe4d bug!') #raise Exception('something is broken!') Acked-by: Seth Arnold <seth.arnold@canonical.com> 2015-07-06 22:02:34 +02:00			`from apparmor.fail import enable_aa_exception_handler`
Simplify the work tools and modules need to do to get the shared translations. External utilities can still use their own textdomains if they have strings that are not part of the apparmor-utils catalog. 2014-02-11 16:23:21 -08:00			`from apparmor.translations import init_translation`
Order imports and module-level dunder name assignments. 2022-08-07 20:32:07 -04:00
			`enable_aa_exception_handler() # setup exception handling`
			`_ = init_translation() # setup module translations`
Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly. 2014-02-10 22:15:05 -08:00
Added help messages to translate strings and a few other minor fixes 2013-09-22 15:25:20 +05:30			`parser = argparse.ArgumentParser(description=_('Process log entries to generate profiles'))`
			`parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))`
			`parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))`
			`parser.add_argument('-m', '--mark', type=str, help=_('mark in the log to start processing after'))`
json support for logprof and genprof From: Goldwyn Rodrigues <rgoldwyn@suse.com> Provides json support to tools in order to interact with other utilities such as Yast. The JSON output is one per line, in order to differentiate between multiple records. Each JSON record has a "dialog" entry which defines the type of message passed. A response must contain the "dialog" entry. "info" message does not require a response. "apparmor-json-version" added in order to identify the communication protocol version for future updates. This is based on work done by Christian Boltz. Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Acked-by: Christian Boltz <apparmor@cboltz.de> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-06-15 18:22:43 +02:00			`parser.add_argument('-j', '--json', action='store_true', help=_('Input and Output in JSON'))`
Add --configdir to all aa-* utils Since this option is mostly meant for testing, it will not show up in --help. aa-notify was the only tool that honored the __AA_CONFDIR env variable. It still does if --configdir is not given. Note: Since we now pass confdir= to init_aa() (in most cases None), setting the default needs to be moved inside the function. 2020-10-25 15:48:41 +01:00			`parser.add_argument('--configdir', type=str, help=argparse.SUPPRESS)`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`args = parser.parse_args()`

rev 63-64, fixes man pages, messages 2013-09-20 19:20:41 +05:30			`logmark = args.mark or ''`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30
Add --configdir to all aa-* utils Since this option is mostly meant for testing, it will not show up in --help. aa-notify was the only tool that honored the __AA_CONFDIR env variable. It still does if --configdir is not given. Note: Since we now pass confdir= to init_aa() (in most cases None), setting the default needs to be moved inside the function. 2020-10-25 15:48:41 +01:00			`apparmor.init_aa(confdir=args.configdir, profiledir=args.dir)`
utils: fix make -C profiles check-logprof fails On arch make -C profiles check-logprof fails with * Checking profiles from ./apparmor.d against logprof ERROR: Can't find AppArmor profiles in /etc/apparmor.d make: * [Makefile:113: check-logprof] Error 1 make: Leaving directory '/build/apparmor/src/apparmor-2.13.3/profiles' because /etc/apparmor.d/ is not available in the build environment and aa-logprofs --dir argument, is not being passed to init_aa() but used to update profiles_dir after the fact. Fix this by passing profiledir as an argument to init_aa() Fixes: https://gitlab.com/apparmor/apparmor/-/issues/36 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/663 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2020-10-21 03:16:46 -07:00
Add option to log aa-logprof json input and output Add a json_log option (default: disabled) to logprof.conf that enables logging of all aa-logprof and aa-genprof input and output to a /tmp/aa-jsonlog-* file. This can be useful for debugging, and maybe also to create tests that do a full aa-logprof run. This patch introduces a minor behaviour change if aa-logprof errors out on startup (for example if the config file is broken or the parser can't be found): Before: ``` $ aa-logprof --json {"dialog": "apparmor-json-version","data": "2.12"} ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` After: ``` $ aa-logprof --json ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` Note that the json version line will not be printed if aa-logprof or aa-genprof error out that early. If there are no startup errors, the behaviour will not change. 2023-07-30 21:14:36 +02:00			`if args.json:`
			`aaui.set_json_mode(apparmor.cfg)`

require logfile only for aa-logprof and aa-genprof Make sure most tools (for example aa-complain) don't error out if no logfile can be found. (For obvious reasons, aa-logprof and aa-genprof will still require a logfile ;-) This is done by moving code from the global area in aa.py to the new function set_logfile(), which is called by aa-logprof and aa-genprof. While on it, - rename apparmor.filename to apparmor.logfile - move the error handling for user-specified logfile from aa-genprof and aa-logprof to aa.py set_logfile() Note: I'd have prefered to hand over the logfile as parameter to do_logprof_pass(), but that would break last_audit_entry_time() in aa-genprof which requires the log filename before do_logprof_pass() is called. References: https://bugs.launchpad.net/apparmor/+bug/1423702 Acked-by: Seth Arnold <seth.arnold@canonical.com> 2015-02-20 21:36:55 +01:00			`apparmor.set_logfile(args.file)`
Added read from custom logfile feature and some other older changes I sadly dont remember 2013-12-20 03:12:58 +05:30
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`aa_mountpoint = apparmor.check_for_apparmor()`
			`if not aa_mountpoint:`
import AppArmorException from apparmor.common ... instead of indirectly using the one imported into apparmor.aa 2021-08-24 22:31:11 +02:00			`raise AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))`
Some code for logprof 2013-08-06 01:53:28 +05:30
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`apparmor.loadincludes()`
certain fixes 2013-08-07 14:43:17 +05:30
Read all profiles on aa-genprof startup instead of later ... which can mean "too late" in some special cases (if a profile already exists in /etc/apparmor.d/$non_default_filename). However, the main reason is that without this change - the new profile will be added to (otherwise empty) active_profiles - the first do_logprof_pass() will read all profiles, including the new one, and add them to active_profiles - which unsurprisingly results in an error like `ERROR: Profile /usr/sbin/vsftpd exists in /etc/apparmor.d/usr.sbin.vsftpd and /etc/apparmor.d/usr.sbin.vsftpd` To fix this, - change do_logprof_pass to never call read_profiles() (and get rid of the 'passno' parameter) - adjust its callers (aa-logprof and aa-genprof) to call read_profiles() themself - move printing the 'Updating AppArmor profiles in $directory.' message to read_profiles(), but only display it if requested (to keep the current UI behaviour) 2020-05-05 23:56:55 +02:00			`apparmor.read_profiles(True)`
First set of tools in their alpha release, logprof and genprof are pre-bleeding edge so dont hurt yourself or worse your distro. 2013-08-21 11:26:09 +05:30			`apparmor.do_logprof_pass(logmark)`