... and self.pid which is also unused.
This simple change also means to adjust all the code that uses ReadLog.
We get rid of log_pid in aa.py, and have to change lots of test-*
The only remaining job of handle_children() was to handle exec events.
(And recursively calling itsself if it hits nested log events, but
logparser.py never created such a log structure.)
Therefore:
- drop the dead code handling nested log (type != str)
- rename the remaining function to ask_exec()
- drop checks for typ = 'exec' (now done as part of the for loop
- drop the "else" branch for unknown event types
- change 'return' to 'continue' because ask_exec handles all exec events
in a loop instead of being called multiple times
- oh, and of course switch over to using hashlog
Finally, change do_logprof_pass() and the tests to call ask_exec()
instead of handle_children().
While on it, update a comment in test-translations.py which held the
last reference to handle_children().
Adjust logparser.py to store change_hat events in hashlog.
In aa.py,
- split off ask_addhat() from handle_children()
- change ask_addhat() to use hashlog
- call ask_addhat() from do_logprof_pass()
Also call ask_addhat() in test-libapparmor-test_multi.py to keep it in
sync with do_logprof_pass().
In logparser parse_event_for_tree() path event handling, drop mapping
permissions for request_mask because request_mask never gets used.
Also drop the validate_log_mode() call because the function has its own,
more strict check since the last commit.
In aamode.py, drop the now unused validate_log_mode() and
hide_log_mode() functions and the LOG_MODE_RE regex.
Finally, drop the validate_log_mode() tests from test-aamode.py
In logparser.py parse_event_for_tree, convert path handling to hashlog.
While on it, include 'owner' as part of hashlog so that aa.py doesn't
need to guess.
Also switch to a simple for loop instead of using log_str_to_mode() from
aamode.py to convert denied_mask to hasher keys (which would have been
needed to allow merging of several log events for the same path anyway).
Note that the check for 'mrawlk' (intentionally without 'x') is more
strict than the validate_log_mode(), but it should still cover all file
permissions. (validate_log_mode() also allows things like 'Px', which
we'll never hit in a logfile.)
In aa.py collapse_log() update the handling of path events to match the
additional [owner] key in hashlog/prelog. This makes the owner detection
in collapse_log() superfluous.
In aa.py handle_children(), remove 'path' handling from the 'path' or
'exec' section, and add an 'if True:' to avoid lots of whitespace
changes.
In aamode.py, drop the now unused split_mode() function, and
AA_OTHER_REMOVE() that was only used by split_mode().
Finally, remove sample log events with null-* hats from the list of
known failures in test-libapparmor-test_multi.py (we no longer filter
out null-* hats), and fix whitespace in two expected profiles.
logparser.py puts each log event on a big "stack" in self.pid. Later,
handle_children() in aa.py then converts that (named 'log' in aa.py) to
the prelog hasher.
This commit changes logparser.py to create the prelog structure itsself
(named hashlog), which
- removes one level of indirection
- probably saves some memory because the hashlog automatically
de-duplicates events
This commit does this for capability, network and signal events, and
adds the infrastructure needed for all event/rule types.
In aa.py, the new function handle_hashlog() copies the hashlog content
to prelog. OTOH, the now superfluous code handling capability, network
and signal events gets removed from handle_children().
Long-term, hashlog will replace log in aa.py. When this is done,
handle_hashlog() will be replaced by a simple prelog = hashlog.
logparser.py gets a new function init_hashlog() to initialize hashlog
for each profile. It also gets changed to store capability, network and
signal events into hashlog instead of storing them in self.pid.
hashlog uses the full profile name as key, which is the first baby step
to support nested child profiles. (for now, handle_hashlog() still
splits the profile name into profile and hat.)
Known issue: The new implementation doesn't handle exec yet, which means
that events get lost at the exec boundary (= in cases aa-logprof asks
which execute mode to use). This will be fixed in a later commit.
- Code layout based on aa-genprof example
- Extend Python dependencies to cover new need by aa-notify
- Update documentation after aa-notify is no longer in Perl
Add some tests with the complex profile name (including alternations and
wildcards) to ensure we don't break such cases in the future.
These tests are based on the log from the (invalid) bugreport
https://gitlab.com/apparmor/apparmor/issues/26
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
The tools also have a list of network keywords, update it:
- add xdp and qipcrtr
- move ib and mpls to match the kernel order
Also add a test to ensure that (at least) the keywords provided by the
running kernel are listed in network_domain_keywords.
When run locally on a development machine or in production, the full test
is likely to run. However inside a CI system container 'last' might fail
to show last login or there might not be access to kern.log and the test
will automatically skip those without failing the whole test suite.
This will help ensure the future rewrite of aa-notify from Perl to Python
is less likely to introduce regressions. Tests run the command line utility
via a subprocess so it does not matter that the tests are in Python but
the aa-notify utility is in Perl (for now).
Defining 'stderr = subprocess.STDOUT' as a default value for function
did not work and the 'stderr' was always empty, thus also 'outerr' was
always empty and not standard error contents was ever considered in any
way.
Best in fact was to remove excess function arguments as they were not even
used and replace it with a simpler and less error prone structure.
Even after reading 'stderr' correctly it did not help much as all tests
used 'assertIn' which ignored excess output. Better replace the normal
output with the error output if there ever was something, since stderr
is most likely a serious thing and tests should stop on it.
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
Technical stuff first:
Replace existing_profiles (a dict with the filenames for both active and
inactive profiles) with active_profiles and extra_profiles which are
ProfileList()s and store the active profiles and those in the extra
directory separately. Thanks to ProfileList, now also the relation
between attachments and filenames is easily available.
Also replace all usage of existing_profiles with active_profiles and
extra_profiles, and adjust it to the ProfileList syntax everywhere.
With this change, several bugs in aa-complain and the other minitools
get fixed:
- aa-complain etc. never found profiles that have a profile name
(the attachment wasn't checked)
- even if the profile name was given as parameter to aa-complain, it
first did "which $parameter" so it never matched on named profiles
- profile names with alternations (without attachment specification)
also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
(search for "As usual" ;-)
Just for completeness - the matching still doesn't honor/expand
variables in the profile name.
ProfileList is meant to store the list of profiles (both name and
attachment) and in which files they live.
Also add unittests to make sure everything works as expected.
test-libapparmor-test_multi.py: test for known-empty log
Add a check to logfile_to_profile() that checks the parsed log against a
list of input logs (log_to_profile_known_empty_log) that produce an
empty output.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/214
Acked-by: John Johansen <john.johansen@canonical.com>
Add a check to logfile_to_profile() that checks the parsed log against a
list of input logs (log_to_profile_known_empty_log) that produce an
empty output.
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
Also note that serialize_profile_from_old_profile() (which no longer
exists in master, "only" in <= 2.13) would in theory also need support
for abi rules. In practise, making this another case of
"serialize_profile_from_old_profile() has known issues" is probably
fine, but we should at least test that "(V)iew changes" doesn't break if
an abi rule is present.
... instead of overwriting them with the flags of the main profile.
This fixes a longstanding issue with aa-complain, aa-enforce and
aa-audit which broke the flags of child profiles and hats if they
differed from the main profile.
It also fixes several issues documented in the tests (which obviously
need adjustment to match the fixed behaviour).
Also change the "no profile found" cases to AppArmorException - errors
in a profile are not worth triggering AppArmorBug ;-)
All callers call change_profile_flags(), so it makes sense to test this
function instead of set_profile_flags().
Besides that, set_profile_flags() will be merged into
change_profile_flags() in the next commit ;-)
Note that this commit adds some '# XXX' notes to the tests. These will
be addressed in later commits.
If the old flags are given as str (or None), call split_flags() to
convert them to a list.
This allows to simplify change_profile_flags() which now doesn't need to
call split_flags() on its own.
Also add some tests with a str for the old flags
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!131
Acked-by: John Johansen <john.johansen@canonical.com>
The tools can't handle nested child profiles yet. Instead of failing
in funny[tm] ways (parse_profile_start() only returned the first two
segments of the profile name) better error out with a clear message.
