finishing was always false, resulting in always returning 'NORMAL'.
Remove the variable, remove the unused condition - and change the only
place (aa-genprof) that expected a return value from do_logprof_pass()
to not expect it anymore.
found by Coverity, CID 198637
Rewrite log handling
logparser.py puts each log event on a big "stack" in self.pid. Later,
handle_children() in aa.py then converts that (named 'log' in aa.py) to
the prelog hasher.
This commit changes logparser.py to create a prelog-like structure itsself
(named hashlog), which
- removes one level of indirection
- probably saves some memory because the hashlog automatically
de-duplicates events
In aa.py, collapse_log() gets updated to work with hashlog. (There's
also a handle_hashlog() function in this patch series, but it didn't
survive the final patches ;-)
OTOH, the now superfluous code handling capability, network etc.
events gets removed from handle_children(). The remaining parts of
this function get split into ask_exec() and ask_addhat().
logparser.py gets a new function init_hashlog() to initialize hashlog
for each profile. It also gets changed to store capability, network etc.
events into hashlog instead of storing them in self.pid.
hashlog uses the full profile name as key, which is the first baby step
to support nested child profiles. (for now, collapse_log() still
splits the profile name into profile and hat.)
There are many more details, see the individual commits ;-)
See merge request apparmor/apparmor!377
Acked-by: Seth Arnold <seth.arnold@canonical.com>
If final_name still includes null-*, that's most likely caused by nested
execs which aren't supported by the tools yet. Ignoring them is better
than creating a useless null-* hat.
Note: The tools always had this restriction, so this is not a regression ;-)
Also note that test-libapparmor-test_multi expects that null-* hats get
created (which makes sense because the one-line log sniplets don't have
any exec indication), therefore add an optional parameter to keep this
behaviour for the tests.
Now that all log events arrive in hashlog, having a separate 'prelog' no
longer makes sense. Changing collapse_log() to accept 'hashlog' directly
removes that level of indirection.
It's only used by two functions:
- handle_hashlog() - writes to prelog, and now returns it
- collapse_log() - reads prelog, and now gets it as parameter
'final_name' by default is the profile name, but ask_exec() will change
it for the target profile (which is a null-* profile at this stage)
based on exec mode choice. ask_addhat() will also change it based on the
chosen hat.
Choosing "deny" or "unconfined" will result in an empty final_name and
ignoring these log events.
All other choices set final_name to the full profile name ("foo" for Px,
"foo//bar" for Cx, current profile for ix).
Also fix the order of handling log events - since ask_exec() changes the
hashlog final_name, it has to run first so that ask_addhat() (which
"only" adjusts the hat name in final_name) and handle_hashlog() can work
with the updated profile name.
Finally, update test-libapparmor-test_multi.py to ignore final_name when
checking if hashlog is empty, and fix the call order of ask_exec() etc.
profile and hat don't get used in the following lines, and later get
overwritten in the next round of the for loop.
The deleted code was last useful for setting the (dropped)
profile_changes array.
... and self.pid which is also unused.
This simple change also means to adjust all the code that uses ReadLog.
We get rid of log_pid in aa.py, and have to change lots of test-*
After all the changes in this branch, parse_event_for_tree always
returns None, which makes the "if event is not None" branch dead code.
This branch was the only place where add_to_tree() was called, therefore
remove this function.
This also makes self.pid and self.log unused. They'll be removed with
separate commits.
The only remaining job of handle_children() was to handle exec events.
(And recursively calling itsself if it hits nested log events, but
logparser.py never created such a log structure.)
Therefore:
- drop the dead code handling nested log (type != str)
- rename the remaining function to ask_exec()
- drop checks for typ = 'exec' (now done as part of the for loop
- drop the "else" branch for unknown event types
- change 'return' to 'continue' because ask_exec handles all exec events
in a loop instead of being called multiple times
- oh, and of course switch over to using hashlog
Finally, change do_logprof_pass() and the tests to call ask_exec()
instead of handle_children().
While on it, update a comment in test-translations.py which held the
last reference to handle_children().
The 'hat' and 'prog' variables are no longer needed, drop them.
Also no longer include denied_mask in the event - operation='exec' means
an exec event, no need to additionally hand over 'x' permissions.
Note: This commit introduces a "brain split", which means exec handling
is temporarily broken. Later commits will fix this.
parse_event_for_tree() always sets prog = 'HINT' and to_name = '' for
exec events.
The only exception is in the 'mandatory profile missing' case where
prog = aamode and to_name = target_profile, but I've never seen that in
practise.
This means the prog != 'HINT' branch in exec handling never gets used
and can be dropped.
Erroring out "if to_name:" also never gets used (to_name is always ''),
therefore drop it as well.
- replace/merge 'uhat' with 'hat'
- adjust ProfileStorage comment to the new function name
- initialize default hat if it gets chosen and doesn't exist yet
- don't exit the function if "Deny" gets chosen. Instead, continue with
the next hat to (possibly) add
Adjust logparser.py to store change_hat events in hashlog.
In aa.py,
- split off ask_addhat() from handle_children()
- change ask_addhat() to use hashlog
- call ask_addhat() from do_logprof_pass()
Also call ask_addhat() in test-libapparmor-test_multi.py to keep it in
sync with do_logprof_pass().
All the variables initialized at the start of the function always get
overwritten in the loop, therefore it's superfluous to initialize them.
Also inline 'entries' to the only place that uses it.
According to John, this isn't supported since 10 years.
In case you wonder why this commit removes the "fork" handling in
handle_children() - logparser.py names clone events "fork" on the event
stack.
In logparser parse_event_for_tree() path event handling, drop mapping
permissions for request_mask because request_mask never gets used.
Also drop the validate_log_mode() call because the function has its own,
more strict check since the last commit.
In aamode.py, drop the now unused validate_log_mode() and
hide_log_mode() functions and the LOG_MODE_RE regex.
Finally, drop the validate_log_mode() tests from test-aamode.py
In logparser.py parse_event_for_tree, convert path handling to hashlog.
While on it, include 'owner' as part of hashlog so that aa.py doesn't
need to guess.
Also switch to a simple for loop instead of using log_str_to_mode() from
aamode.py to convert denied_mask to hasher keys (which would have been
needed to allow merging of several log events for the same path anyway).
Note that the check for 'mrawlk' (intentionally without 'x') is more
strict than the validate_log_mode(), but it should still cover all file
permissions. (validate_log_mode() also allows things like 'Px', which
we'll never hit in a logfile.)
In aa.py collapse_log() update the handling of path events to match the
additional [owner] key in hashlog/prelog. This makes the owner detection
in collapse_log() superfluous.
In aa.py handle_children(), remove 'path' handling from the 'path' or
'exec' section, and add an 'if True:' to avoid lots of whitespace
changes.
In aamode.py, drop the now unused split_mode() function, and
AA_OTHER_REMOVE() that was only used by split_mode().
Finally, remove sample log events with null-* hats from the list of
known failures in test-libapparmor-test_multi.py (we no longer filter
out null-* hats), and fix whitespace in two expected profiles.
According to John, 'inode_permission' wasn't used for 10 years.
This little change also means that we now have a clear separation
between "exec" and "normal" (mrwlk) file events.
Also drop the now superfluous makes peek_at_next_log_entry() and
throw_away_next_log_entry() functions.
logparser.py puts each log event on a big "stack" in self.pid. Later,
handle_children() in aa.py then converts that (named 'log' in aa.py) to
the prelog hasher.
This commit changes logparser.py to create the prelog structure itsself
(named hashlog), which
- removes one level of indirection
- probably saves some memory because the hashlog automatically
de-duplicates events
This commit does this for capability, network and signal events, and
adds the infrastructure needed for all event/rule types.
In aa.py, the new function handle_hashlog() copies the hashlog content
to prelog. OTOH, the now superfluous code handling capability, network
and signal events gets removed from handle_children().
Long-term, hashlog will replace log in aa.py. When this is done,
handle_hashlog() will be replaced by a simple prelog = hashlog.
logparser.py gets a new function init_hashlog() to initialize hashlog
for each profile. It also gets changed to store capability, network and
signal events into hashlog instead of storing them in self.pid.
hashlog uses the full profile name as key, which is the first baby step
to support nested child profiles. (for now, handle_hashlog() still
splits the profile name into profile and hat.)
Known issue: The new implementation doesn't handle exec yet, which means
that events get lost at the exec boundary (= in cases aa-logprof asks
which execute mode to use). This will be fixed in a later commit.
This function was meant to set a process running under a null-* profile
to its "real" profile after deciding about the exec mode/target.
However, this is not supported in the kernel.
"Luckily" the function was also broken and exited early, which
successfully prevented erroring out.
All that means set_process() is useless and we can drop it.
