apparmor/utils/aa-easyprof

#! /usr/bin/env python
# ------------------------------------------------------------------
#
#    Copyright (C) 2011-2015 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

import apparmor.easyprof
from apparmor.easyprof import AppArmorException, error
import os
import sys

if __name__ == "__main__":
    def usage():
        '''Return usage information'''
        return 'USAGE: %s [options] <path to binary>' % \
               os.path.basename(sys.argv[0])

    (opt, args) = apparmor.easyprof.parse_args()
    binary = None
    manifest = None

    m = usage()
    if opt.show_policy_group and not opt.policy_groups:
        error("Must specify -p with --show-policy-group")
    elif not opt.template and not opt.policy_groups and len(args) < 1:
        error("Must specify full path to binary\n%s" % m)

    binary = None
    if len(args) >= 1:
        binary = args[0]

    # parse_manifest() returns a list of tuples (binary, options). Create a
    # list of these profile tuples to support multiple profiles in one manifest
    profiles = []
    if opt.manifest:
        try:
            # should hide this in a common function
            if sys.version_info[0] >= 3:
                f = open(opt.manifest, "r", encoding="utf-8")
            else:
                f = open(opt.manifest, "r")
            manifest = f.read()
        except EnvironmentError as e:
            error("Could not read '%s': %s (%d)\n" % (opt.manifest,
                                                      os.strerror(e.errno),
                                                      e.errno))
        profiles = apparmor.easyprof.parse_manifest(manifest, opt)
    else: # fake up a tuple list when processing command line args
        profiles.append( (binary, opt) )

    count = 0
    for (binary, options) in profiles:
        if len(profiles) > 1:
            count += 1
        try:
            easyp = apparmor.easyprof.AppArmorEasyProfile(binary, options)
        except AppArmorException as e:
            error(e.value)
        except Exception:
            raise

        if options.list_templates:
            apparmor.easyprof.print_basefilenames(easyp.get_templates())
            sys.exit(0)
        elif options.template and options.show_template:
            sys_t = os.path.join(easyp.dirs['templates'], options.template)
            inc_t = None
            if options.include_templates_dir:
                inc_t = os.path.join(easyp.dirs['templates_include'],
                                     options.template)

            if os.path.exists(sys_t):
                apparmor.easyprof.print_files([sys_t])
            elif os.path.exists(inc_t):
                apparmor.easyprof.print_files([inc_t])
            else:
                error("Could not find '%s'" % options.template)
            sys.exit(0)
        elif options.list_policy_groups:
            apparmor.easyprof.print_basefilenames(easyp.get_policy_groups())
            sys.exit(0)
        elif options.policy_groups and options.show_policy_group:
            files = []
            for g in options.policy_groups.split(','):
                sys_g = os.path.join(easyp.dirs['policygroups'], g)
                inc_g = None
                if options.include_policy_groups_dir:
                    inc_g = os.path.join(easyp.dirs['policygroups_include'], g)

                if os.path.exists(sys_g):
                    files.append(sys_g)
                elif os.path.exists(inc_g):
                    files.append(inc_g)
                else:
                    error("Could not find '%s'" % g)

            apparmor.easyprof.print_files(files)
            sys.exit(0)
        elif binary == None and not options.profile_name and \
             not options.manifest:
            error("Must specify binary and/or profile name\n%s" % m)

        params = apparmor.easyprof.gen_policy_params(binary, options)
        if options.manifest and options.verify_manifest and \
           not apparmor.easyprof.verify_manifest(params):
            error("Manifest file requires review")

        if options.output_format == "json":
            sys.stdout.write('%s\n' % easyp.gen_manifest(params))
        else:
            params['no_verify'] = options.no_verify
            try:
                easyp.output_policy(params, count, opt.output_directory)
            except AppArmorException as e:
                error(e)
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com> 2012-05-07 22:37:48 -07:00			`#! /usr/bin/env python`
			`# ------------------------------------------------------------------`
			`#`
update copyright year for modified files 2015-03-26 17:14:52 -05:00			`# Copyright (C) 2011-2015 Canonical Ltd.`
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com> 2012-05-07 22:37:48 -07:00			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

			`import apparmor.easyprof`
			`from apparmor.easyprof import AppArmorException, error`
			`import os`
			`import sys`

			`if __name__ == "__main__":`
			`def usage():`
			`'''Return usage information'''`
			`return 'USAGE: %s [options] <path to binary>' % \`
			`os.path.basename(sys.argv[0])`

make parser optional 2012-05-09 22:56:53 -07:00			`(opt, args) = apparmor.easyprof.parse_args()`
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com> 2012-05-07 22:37:48 -07:00			`binary = None`
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`manifest = None`
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com> 2012-05-07 22:37:48 -07:00
			`m = usage()`
			`if opt.show_policy_group and not opt.policy_groups:`
			`error("Must specify -p with --show-policy-group")`
			`elif not opt.template and not opt.policy_groups and len(args) < 1:`
			`error("Must specify full path to binary\n%s" % m)`

			`binary = None`
			`if len(args) >= 1:`
			`binary = args[0]`

Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`# parse_manifest() returns a list of tuples (binary, options). Create a`
			`# list of these profile tuples to support multiple profiles in one manifest`
			`profiles = []`
			`if opt.manifest:`
			`try:`
			`# should hide this in a common function`
			`if sys.version_info[0] >= 3:`
			`f = open(opt.manifest, "r", encoding="utf-8")`
			`else:`
			`f = open(opt.manifest, "r")`
			`manifest = f.read()`
			`except EnvironmentError as e:`
			`error("Could not read '%s': %s (%d)\n" % (opt.manifest,`
			`os.strerror(e.errno),`
			`e.errno))`
			`profiles = apparmor.easyprof.parse_manifest(manifest, opt)`
			`else: # fake up a tuple list when processing command line args`
			`profiles.append( (binary, opt) )`
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com> 2012-05-07 22:37:48 -07:00
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`count = 0`
			`for (binary, options) in profiles:`
			`if len(profiles) > 1:`
			`count += 1`
			`try:`
			`easyp = apparmor.easyprof.AppArmorEasyProfile(binary, options)`
			`except AppArmorException as e:`
			`error(e.value)`
			`except Exception:`
			`raise`

			`if options.list_templates:`
			`apparmor.easyprof.print_basefilenames(easyp.get_templates())`
			`sys.exit(0)`
			`elif options.template and options.show_template:`
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy 2015-03-26 16:59:05 -05:00			`sys_t = os.path.join(easyp.dirs['templates'], options.template)`
			`inc_t = None`
			`if options.include_templates_dir:`
			`inc_t = os.path.join(easyp.dirs['templates_include'],`
			`options.template)`

			`if os.path.exists(sys_t):`
			`apparmor.easyprof.print_files([sys_t])`
			`elif os.path.exists(inc_t):`
			`apparmor.easyprof.print_files([inc_t])`
			`else:`
			`error("Could not find '%s'" % options.template)`
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`sys.exit(0)`
			`elif options.list_policy_groups:`
			`apparmor.easyprof.print_basefilenames(easyp.get_policy_groups())`
			`sys.exit(0)`
			`elif options.policy_groups and options.show_policy_group:`
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy 2015-03-26 16:59:05 -05:00			`files = []`
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`for g in options.policy_groups.split(','):`
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy 2015-03-26 16:59:05 -05:00			`sys_g = os.path.join(easyp.dirs['policygroups'], g)`
			`inc_g = None`
			`if options.include_policy_groups_dir:`
			`inc_g = os.path.join(easyp.dirs['policygroups_include'], g)`

			`if os.path.exists(sys_g):`
			`files.append(sys_g)`
			`elif os.path.exists(inc_g):`
			`files.append(inc_g)`
			`else:`
incorporate feedback from Seth Arnold: - fix typo in comment - error() instead of warn() if can't find specified group 2015-03-28 07:16:22 -05:00			`error("Could not find '%s'" % g)`
add --include-templates-dir and --include-policy-groups-dir options to easyprof to support framework policy on snappy 2015-03-26 16:59:05 -05:00
			`apparmor.easyprof.print_files(files)`
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`sys.exit(0)`
			`elif binary == None and not options.profile_name and \`
			`not options.manifest:`
			`error("Must specify binary and/or profile name\n%s" % m)`

			`params = apparmor.easyprof.gen_policy_params(binary, options)`
			`if options.manifest and options.verify_manifest and \`
			`not apparmor.easyprof.verify_manifest(params):`
			`error("Manifest file requires review")`
This patchset is broken into 4 parts: * the application, library, documentation and installation script * the initial templates and policy groups. This will undoubtedly need refinement as we get feedback from users. Initial policy is based on Ubuntu's Application Review Board (ARB) requirements[2]. * tests for the library * Makefile integration Templates are stored in /usr/share/apparmor/easyprof/templates and policy groups in /usr/share/apparmor/easyprof/policygroups. This can be adjusted via /etc/apparmor/easyprof.conf. The aa-easyprof.pod has complete documentation on usage with some additional information in utils/easyprof/README (mostly duplicated here). Testing can be performed in a number of ways: $ cd utils ; make check # runs unit tests and pyflakes Unit tests manually: $ ./test/test-aa-easyprof.py In source manual testing: $ ./aa-easyprof --templates-dir=./easyprof/templates \ --policy-groups-dir=./easyprof/policygroups \ ... \ /opt/foo/bin/foo Post-install manual testing: $ make DESTDIR=/tmp/test PERLDIR=/tmp/test/usr/share/perl5/Immunix install $ cd /tmp/test $ PYTHONPATH=/tmp/test/usr/local/.../dist-packages ./usr/bin/aa-easyprof \ --templates-dir=/tmp/test/usr/share/apparmor/easyprof/templates \ --policy-groups-dir=/tmp/test/usr/share/apparmor/easyprof/policygroups \ /opt/bin/foo (you may also adjust /tmp/test/etc/apparmor/easyprof.conf to avoid specifying --templates-dir and --policy-groups-dir). Committing this now based on conversation with John and Steve. Acked-By: Jamie Strandboge <jamie@canonical.com> 2012-05-07 22:37:48 -07:00
Add aa-easyprof and easyprof.py and related pieces from the Ubuntu apparmor packaging. These were originally 0030-easyprof-sdk.patch and 0037-easyprof-sdk-pt2.patch. Jamie posted an updated 0030-easyprof-sdk_v2.patch and I squashed both patches into one commit. Acked-By: Jamie Strandboge <jamie@canonical.com> 2014-02-13 17:53:40 -08:00			`if options.output_format == "json":`
			`sys.stdout.write('%s\n' % easyp.gen_manifest(params))`
			`else:`
			`params['no_verify'] = options.no_verify`
			`try:`
			`easyp.output_policy(params, count, opt.output_directory)`
			`except AppArmorException as e:`
			`error(e)`