in_preamble keeps track of the current parsing position.
It's True while parsing the preamble of a profile file, and when loading
an include file that is included in the preamble (typically tunables/*).
While inside a profile or parsing abstractions/*, it is False.
This commit only hands the information around and keeps in_preamble
updated, but it doesn't really get used yet.
Also adjust the tests to hand over the additional parameter to
parse_profile_data().
... to handle parsing of lines that are managed with a *Rule
This needs 'ruletypes' to also know about *Rule, not only about
*Ruleset.
Also switch over handling of most rules that live inside a profile from
parse_profile() to match_line_against_rule_classes() to make
parse_profile() more readable.
Exceptions are:
- include and abi, which can also exist in the preamble
- file rules, because they'd need to be handled later (after variable
definitions)
Since loadincludes() now only loads a specified list of subdirectories,
we no longer need a directory blacklist.
The only possibly remaining part are .git subdirectories (for example
tunables/.git or abstractions/.git). Since it's very unlikely that
someone would have only a subdirectory of /etc/apparmor.d/ in git, drop
that check.
Also split out parts of the function into loadincludes_dir() to keep the
code readable.
Note: This change might affect the list of includes proposed by
aa-logprof.
split off parse_profile_start_to_storage() from parse_profile_data()
See merge request apparmor/apparmor!710
Acked-by: Steve Beattie <steve.beattie@canonical.com>
in_contained_hat is needed to know if we are already in a profile or
not. (Simply checking if we are in a hat doesn't work, because something
like "profile foo//bar" will set profile and hat at once, and later
(wrongfully) expect another "}".
However, the way how this variable was set became too complicated.
To simplify the code, set in_contained_hat directly in
parse_profile_data() RE_PROFILE_START instead of returning it via
parse_profile_start() and parse_profile_start_to_storage()
Since this change removes a return value from two functions, also adjust
the tests accordingly.
parse_profile_start_to_storage() converts the result of
parse_profile_start() into a ProfileStorage object.
No functional change, but parse_profile_data() becomes more readable.
Also extend tests to cover parse_profile_start_to_storage().
... to find regressions or improvements in the python code coverage.
`make coverage-regression` will error out if a file looses its 100%
coverage, or if a file improved to 100% coverage.
Other coverage changes (for example 45% -> 47%) will be ignored.
To get them running in the CI,
* call them with `--configdir ./`
* skip testing `aa-unconfined` if securityfs is not available
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/696
Acked-by: John Johansen <john.johansen@canonical.com>
... to ensure that it errors out if a wrong parameter type is given.
This also increases the test coverage of ProfileList to 100%.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/694
Acked-by: John Johansen <john.johansen@canonical.com>
Add the BooleanRule and BooleanRuleset classes, add handling of boolean variable definitions in ProfileList and adjust `parse_profile_data()` to use BooleanRule. As usual, add tests for the added code.
See the individual commits for the details.
Note that this MR is also a bugfix - the previous code in (3.0 and master) saved boolean variables at a wrong place, and they were silently lost when writing the profile.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/693
Acked-by: John Johansen <john.johansen@canonical.com>
... and save rules at the right place (ProfileList) where they actually
get written when writing the profile.
This is also a bugfix - the previous code saved boolean variables at a
wrong place, and they were silently lost when writing the profile.
Extend cleanprof_test.{in,out} to ensure that this doesn't break again.
Also remove boolean_bad_[2-4] from the test-parser-simple-tests.py
exception_not_raised list because these test profiles now get correctly
detected as invalid.
These two classes are meant to handle the definition of boolean rules
like `$foo = true`.
Also extend RE_PROFILE_BOOLEAN to provide named matches.
As usual, add tests for the new classes.
Kept separate from other fixes because conf file changes can cause
problems for packagers.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
Fix spelling errors in code strings. Some strings are translatable.
This fixes are potentially user visible.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
With the exception of the documentation fixes, these should all be
invisible to users.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
If aa-notify races file rotation it may crash with a trace back to
the log file being removed before the new one is moved into place.
Traceback (most recent call last):
File "/usr/sbin/aa-notify", line 570, in <module>
main()
File "/usr/sbin/aa-notify", line 533, in main
for message in notify_about_new_entries(logfile, args.wait):
File "/usr/sbin/aa-notify", line 145, in notify_about_new_entries
for event in follow_apparmor_events(logfile, wait):
File "/usr/sbin/aa-notify", line 236, in follow_apparmor_events
if os.stat(logfile).st_ino != log_inode:
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/audit/audit.log'
If we hit this situation sleep and then retry opening the logfile.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/130
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/688
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
So far, aa-autodep "accidently" loaded the abstractions when parsing the existing profiles. Obviously, this only worked if there is at least one profile in the active or extra profile directory.
Without any existing profiles, aa-autodep crashed with KeyError: '/tmp/apparmor.d/abstractions/base'
Prevent this crash by explicitely loading the abstractions on start.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682
Acked-by: John Johansen <john.johansen@canonical.com>
Since this option is mostly meant for testing, it will not show up in `--help`.
`aa-notify` was the only tool that honored the `__AA_CONFDIR` env variable. Drop it in favor of the `--configdir` option.
Note: Since we now pass `confdir=` to `init_aa()` (in most cases `None`), setting the default needs to be moved inside the function.
Also use `--configdir` in the tests.
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/670
Acked-by: John Johansen <john.johansen@canonical.com>
So far, aa-autodep "accidently" loaded the abstractions when parsing the
existing profiles. Obviously, this only worked if there is at least one
profile in the active or extra profile directory.
Without any existing profiles, aa-autodep crashed with
KeyError: '/tmp/apparmor.d/abstractions/base'
Prevent this crash by explicitely loading the abstractions on start.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1]
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
Since this option is mostly meant for testing, it will not show up in
--help.
aa-notify was the only tool that honored the __AA_CONFDIR env variable.
It still does if --configdir is not given.
Note: Since we now pass confdir= to init_aa() (in most cases None),
setting the default needs to be moved inside the function.
On arch
make -C profiles check-logprof
fails with
*** Checking profiles from ./apparmor.d against logprof
ERROR: Can't find AppArmor profiles in /etc/apparmor.d
make: *** [Makefile:113: check-logprof] Error 1
make: Leaving directory '/build/apparmor/src/apparmor-2.13.3/profiles'
because /etc/apparmor.d/ is not available in the build environment
and aa-logprofs --dir argument, is not being passed to init_aa()
but used to update profiles_dir after the fact.
Fix this by passing profiledir as an argument to init_aa()
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/36
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/663
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
When run with the -p flag, aa-notify works fine for 100 seconds and then it exits.
I suspect that the issue arises from the following check on line 259 in utils/aa-notify
if debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
debug_logger.debug('Debug mode detected: aborting notification emitter after 100 seconds.')
sys.exit(0)
together with line 301 in utils/apparmor/common.py which initializes debug_logger.debug_level to logging.DEBUG which has the numerical value 10.
A simple solution might be to just remove the check as I'm not quit sure why one would want aa-notify to exit when run in debug mode in the first place.
Alternatively, one could check against debug_logger.debugging (initialized to False) or change the initialization of debug_logger.debug_level to something else, but I don't know how that would affect other consumers of utils/apparmor/common.py.
For now just add dbugger_logger.debugging as an additional check as the
reason for timing out after 100s during debugging are unclear.
Suggested-by: vicvbcun
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/126
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/660
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Otto Kekäläinen <otto@kekalainen.net>
This a step towards addressing the linting of the utils causing
problems in a build vs dev environment. See
https://gitlab.com/apparmor/apparmor/-/issues/121
Split off linting with PYFLAKES into its own target as a step towards
making the running of the lint checks as a configuration option.
https://gitlab.com/apparmor/apparmor/-/merge_requests/662
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
utils/test/test-aa-notify.py:
Change `AANotifyTest.test_entries_since_login()` to be decorated by a
`skipUnless()` checking for existence of **/var/log/wtmp** (similar to
`AANotifyTest.test_entries_since_login_verbose()`).
The test otherwise fails trying to access /var/log/wtmp in environments
where the file is not available.
Fixes#120
Attempt to get clarity on what is valid syntax for mount options and
fstype options.
Note that simple_tests/mount/bad_opt_27.sd is marked TODO, as the
parser accepts it but should not.
Also mark the tests as expecting to fail to raise an exception by the
python utils.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
af_unix allows for sockets to be bound to a name that is autogenerated.
Currently this type of binding is only supported by a very generic
rule.
unix (bind) type=dgram,
but this allows both sockets with specified names and anonymous
sockets. Extend unix rule syntax to support specifying just an
auto bind socket by specifying addr=auto
eg.
unix (bind) addr=auto,
It is important to note that addr=auto only works for the bind
permission as once the socket is bound to an autogenerated address,
the addr with have a valid unique value that can be matched against
with a regular
addr=@name
expression
Fixes: https://bugs.launchpad.net/apparmor/+bug/1867216
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
If an exec gets denied in enforce mode, there are no log events for the
target binary/profile. Therefore, trying to set the final_name for the
target will crash with a KeyError.
Check for the existence of hashlog[aamode][target_profile] in all exec
options to prevent this crash.
Note that the log doesn't include enough information for EXEC MODE and EXEC COND, therefore aa-logprof will always propose ALL as EXEC COND (comm= might give a hint about EXEC COND, but isn't good enough).
With the added support in aa-logprof, remove the changeprofile tests from the known-failing list in test-libapparmor-test_multi.py.
Also add another test log (from darix) / expected profile to the libapparmor testsuite.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/631
Acked-by: John Johansen <john.johansen@canonical.com>
