- Code layout based on aa-genprof example
- Extend Python dependencies to cover new need by aa-notify
- Update documentation after aa-notify is no longer in Perl
Related to #22.
Fixes error message:
Traceback (most recent call last):
File "./aa-notify", line 523, in <module>
main()
File "./aa-notify", line 399, in main
aa.set_logfile(args.file)
File "/home/otto/koodia/apparmor/utils/apparmor/aa.py", line 1762,
in set_logfile
print(conf.find_first_file(cfg['settings']['logfiles']))
File "/usr/lib/python3.6/configparser.py", line 1233, in __getitem__
raise KeyError(key)
KeyError: 'logfiles'
Add some tests with the complex profile name (including alternations and
wildcards) to ensure we don't break such cases in the future.
These tests are based on the log from the (invalid) bugreport
https://gitlab.com/apparmor/apparmor/issues/26
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
Add userland support for matching based on extended file attributes. This
leverages DFA based matching already in the kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd
Matching is exposed via flags on the profile:
/usr/bin/* xattrs=(user.foo=bar user.bar=foo) {
# ...
}
xattr values are appended to the existing xmatch via a null transition.
$ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \
./parser/apparmor_parser -QT -D expr-tree
DFA: Expression Tree
/usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1>
DFA: Expression Tree
(\a|(\n|(\0002|\t)))< 0x4>
Tested manually on a 4.19 kernel via QEMU+KVM.
TODO:
* ~~Add regression tests~~ (EDIT: done)
* ~~EDIT: add support in the tools~~ (EDIT: done)
Questions for reviewers:
* ~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done)
* ~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done)
/cc @mjg59
PR: https://gitlab.com/apparmor/apparmor/merge_requests/270
Signed-off-by: John Johansen <john.johansen@canonical.com>
The tools also have a list of network keywords, update it:
- add xdp and qipcrtr
- move ib and mpls to match the kernel order
Also add a test to ensure that (at least) the keywords provided by the
running kernel are listed in network_domain_keywords.
When run locally on a development machine or in production, the full test
is likely to run. However inside a CI system container 'last' might fail
to show last login or there might not be access to kern.log and the test
will automatically skip those without failing the whole test suite.
This will help ensure the future rewrite of aa-notify from Perl to Python
is less likely to introduce regressions. Tests run the command line utility
via a subprocess so it does not matter that the tests are in Python but
the aa-notify utility is in Perl (for now).
This makes it possible for e.g. command line tools to have the --debug
option and when invoked print the existing debug messages directly to
stderr so the user running the command can see them.
Defining 'stderr = subprocess.STDOUT' as a default value for function
did not work and the 'stderr' was always empty, thus also 'outerr' was
always empty and not standard error contents was ever considered in any
way.
Best in fact was to remove excess function arguments as they were not even
used and replace it with a simpler and less error prone structure.
Even after reading 'stderr' correctly it did not help much as all tests
used 'assertIn' which ignored excess output. Better replace the normal
output with the error output if there ever was something, since stderr
is most likely a serious thing and tests should stop on it.
- Add documentation stub for what the UI module is and how JSON works
- Make indentation consistent
- Use pythonic 'if' clauses
- Add two spaces after function definitions (Python style)
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
Also drop the now unused function get_profile_filename()
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
PR: https://gitlab.com/apparmor/apparmor/merge_requests/296
Signed-off-by: John Johansen <john.johansen@canonical.com>
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
Split out RE_FLAGS
... instead of having it duplicated in RE_PROFILE_HAT_DEF and RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/287
Acked-by: John Johansen <john.johansen@canonical.com>
... instead of having it duplicated in RE_PROFILE_HAT_DEF and
RE_PROFILE_START.
Note that the flags=... handling in RE_PROFILE_HAT_DEF was more/too
strict (for example it didn't allow whitespace around the "="), so this
change also qualifies as a little bugfix.
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f1839 the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
Replace "existing_profiles" & fix minitools for named profiles
See merge request apparmor/apparmor!249
Acked-by: John Johansen <john.johansen@canonical.com>
Technical stuff first:
Replace existing_profiles (a dict with the filenames for both active and
inactive profiles) with active_profiles and extra_profiles which are
ProfileList()s and store the active profiles and those in the extra
directory separately. Thanks to ProfileList, now also the relation
between attachments and filenames is easily available.
Also replace all usage of existing_profiles with active_profiles and
extra_profiles, and adjust it to the ProfileList syntax everywhere.
With this change, several bugs in aa-complain and the other minitools
get fixed:
- aa-complain etc. never found profiles that have a profile name
(the attachment wasn't checked)
- even if the profile name was given as parameter to aa-complain, it
first did "which $parameter" so it never matched on named profiles
- profile names with alternations (without attachment specification)
also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
(search for "As usual" ;-)
Just for completeness - the matching still doesn't honor/expand
variables in the profile name.
ProfileList is meant to store the list of profiles (both name and
attachment) and in which files they live.
Also add unittests to make sure everything works as expected.
parse_profile_data() returns the parsed profiles, but writes to
existing_profiles directly.
read_profiles() calls parse_profile_data() and already handles adding
the parsed profiles to aa, original_aa or extras, which means updating
existing_profiles there is a much better place.
This commit also includes a hidden change: Previously, when parsing
include files, they were also added to existing_profiles. This is
superfluous, only real profiles need to be stored there.
