Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!514
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
... which can mean "too late" in some special cases (if a profile
already exists in /etc/apparmor.d/$non_default_filename).
However, the main reason is that without this change
- the new profile will be added to (otherwise empty) active_profiles
- the first do_logprof_pass() will read all profiles, including the new
one, and add them to active_profiles - which unsurprisingly results in
an error like `ERROR: Profile /usr/sbin/vsftpd exists in
/etc/apparmor.d/usr.sbin.vsftpd and /etc/apparmor.d/usr.sbin.vsftpd`
To fix this,
- change do_logprof_pass to never call read_profiles() (and get rid of
the 'passno' parameter)
- adjust its callers (aa-logprof and aa-genprof) to call read_profiles()
themself
- move printing the 'Updating AppArmor profiles in $directory.' message
to read_profiles(), but only display it if requested (to keep the
current UI behaviour)
Since 4b7108f1e5, aa-genprof and
aa-autodep crashed with
apparmor.common.AppArmorBug: /etc/apparmor.d/usr.sbin.vsftpd not listed in ProfileList files
because the profile was not added to active_profiles.
Add the profile to active_profiles to fix this regression, and to have
all the needed data in active_profiles.
The profile repo is dead since years and most likely won't come back, so
there's no point in keeping and maintaining the code for uploading and
downloading profiles.
Add support for handling `include if exists` rules in profile preambles in the `ProfileList` class.
Besides that, do some groundwork for future changes - see the individual commits for details and spoilers ;-)
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/507
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Move suggested bug reporting from launchpad to gitlab
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
- add_inc_ie() stores include and include if exists rules
- get_clean() and get_raw() return the profile preamble (currently only
the include rules)
Also add tests for the new functions.
This is similar to get_clean(), but keeps the original rule order
instead of sorting them.
This is useful for include rules in the preamble, where the order might
be relevant - for example if the first include defines a variable that
is then used or extended in the second include file.
Merge branch 'cboltz-profile-list-rename-add' into 'master'
See merge request apparmor/apparmor!502
Acked-by: Steve Beattie <steve.beattie@canonical.com>
apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
For now, only 'include if exists' rules will be handled by IncludeRule.
Using it also for 'include' rules needs some more code changes so that
included files still get checked etc.
Also remove some testcases from test-parser-simple-tests.py unknown_line
which no longer fail.
These classes are meant to handle 'include' and 'include if exists'
rules.
Due to restrictions in re_match_include_parse(), some cases in
is_covered_localvars() and is_equal_localvars() can't be reached in the
unittests.
Also, IncludeRule isn't used in aa-logprof (yet?), which means
logprof_header_localvars() result format isn't decided yet, and
therefore not tested.
This means test coverage for the new classes isn't 100% this time ;-)
- extend RE_INCLUDE to also match "include if exists"
- rename re_match_include() to re_match_include_parse() and extend it to
also support "include if exists" rules. The return value also includes
"ismagic" now to avoid another future change, but that's not used yet.
- add re_match_include() which is now a wrapper around
re_match_include_parse() and behaves exactly as the old
re_match_include()
$ make check
will fail unless PYFLAKES=pyflakes3 is passed as an environment
variable. Fix it so make check will work by default.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This function was introduced as a temporary (ahem...) solution in 95404bb2f3 but was never really correct. It checked against other_value.regex (as a string!) and, while this was somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules than having a wrong match in is_covered() and miss to add/keep a rule that would be needed.
The perfect solution would be to really compare one AARE against the other as the parser does. I'm not too keen to implement this in python, and will wait until someone provides this function (which the parser already has) via libapparmor ;-)
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/478
Acked-by: John Johansen <john.johansen@canonical.com>
Only bool and str keys may be overwritten.
Other key types (list, dict, *Ruleset) can have their content modified
(not __setitem__()s job), but replacing the whole collection should
never happen.
This function was introduced as a temporary (ahem...) solution in
95404bb2f3 but was never really correct.
It checked against other_value.regex (as a string!) and, while this was
somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules
than having a wrong match in is_covered() and miss to add/keep a rule
that would be needed.
The perfect solution would be to really compare one AARE against the
other as the parser does. I'm not too keen to implement this in python,
and will wait until someone provides this function (which the parser
already has) via libapparmor ;-)
If create-apparmor.vim.py fails, an empty apparmor.vim gets created. The
next "make" run will assume that apparmor.vim was already created (the
file exists and has a new-enough timestamp) and will therefore skip the
create-apparmor.vim.py run, keeping the broken apparmor.vim forever.
Adjust the Makefile to delete apparmor.vim if the script fails. This
ensures that make tries again in the next run.
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
