Separate out the aa-status json version info out from being a magic
element embedded in a string in the middle of the json emitter, and move
it to an early location, along with a comment to edit it whenthe format
changes.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://gitlab.com/apparmor/apparmor/-/merge_requests/517
Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!514
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
... which can mean "too late" in some special cases (if a profile
already exists in /etc/apparmor.d/$non_default_filename).
However, the main reason is that without this change
- the new profile will be added to (otherwise empty) active_profiles
- the first do_logprof_pass() will read all profiles, including the new
one, and add them to active_profiles - which unsurprisingly results in
an error like `ERROR: Profile /usr/sbin/vsftpd exists in
/etc/apparmor.d/usr.sbin.vsftpd and /etc/apparmor.d/usr.sbin.vsftpd`
To fix this,
- change do_logprof_pass to never call read_profiles() (and get rid of
the 'passno' parameter)
- adjust its callers (aa-logprof and aa-genprof) to call read_profiles()
themself
- move printing the 'Updating AppArmor profiles in $directory.' message
to read_profiles(), but only display it if requested (to keep the
current UI behaviour)
Since 4b7108f1e5, aa-genprof and
aa-autodep crashed with
apparmor.common.AppArmorBug: /etc/apparmor.d/usr.sbin.vsftpd not listed in ProfileList files
because the profile was not added to active_profiles.
Add the profile to active_profiles to fix this regression, and to have
all the needed data in active_profiles.
There are no bashisms in the minimize.sh test script, so convert to
using to /bin/sh
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/issues/18
The profile repo is dead since years and most likely won't come back, so
there's no point in keeping and maintaining the code for uploading and
downloading profiles.
The use of filenames for a profile name has been deprecated in
AppArmor 3.0 so output a warning when ever a profile with a filename
based name is encountered.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/506
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser tests were missing include tests for include entries in the
preamble section of a profile. This commit adds both #include and
include variants, as well as include if exists variants.
Also added is an exception list for the utils tests -- though it should
be noted that the utils silently drop the "#include if exists" format if
it's in the preamble without raising an exception.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/509
Add support for handling `include if exists` rules in profile preambles in the `ProfileList` class.
Besides that, do some groundwork for future changes - see the individual commits for details and spoilers ;-)
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/507
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
aa-status output has changed slightly to account for the newer profile
modes. This means the json version needs to be bumped so consumers
can detect the change.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/508
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Move suggested bug reporting from launchpad to gitlab
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Documentation of the profile header: name, attachments and flags
is missing. Add basic documentation describing the header and
it components.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/505
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
- add_inc_ie() stores include and include if exists rules
- get_clean() and get_raw() return the profile preamble (currently only
the include rules)
Also add tests for the new functions.
This is similar to get_clean(), but keeps the original rule order
instead of sorting them.
This is useful for include rules in the preamble, where the order might
be relevant - for example if the first include defines a variable that
is then used or extended in the second include file.
Merge branch 'cboltz-profile-list-rename-add' into 'master'
See merge request apparmor/apparmor!502
Acked-by: Steve Beattie <steve.beattie@canonical.com>
With the addition of commits to make libapparmor LSM stacking aware, several tests were failing due to:
- aa_getpeercon() having an added aa_enabled() check
- aa_getprocattr() looking in /proc/pid/attr/apparmor/current first
Fix the specific failing testcases with additional permissions, and grant default profiles and hat generated by mkprofile.pl write access to /proc/*/attr/apparmor/current.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/504
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Because of the need to be stacking LSM aware, aa_getpeercon() calls
aa_enable to ensure that apparmor is enabled. Without the permission,
aa_getpeercon() fails, causing test failures.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
While xattr attachments exist without outofband transitions, they are
broken when values contain the null character. The addition of
outofband transitions fixes this problem.
While we could make the test requirement for outofband transitions
specific to a few tests, since the parser currently requires outofband
transitions to generate xattr attachment conditionals, for a first
pass just make the whole test suite require them.
Revisit this when/if the parser will allow xattr attachments without
outofband transitions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Better descriptions why some example profiles fail with the tools
See merge request apparmor/apparmor!501
Acked-by: John Johansen <john.johansen@canonical.com>
apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
