The TODO in write_rules() was long solved - remove the safety net type
check, it's no longer needed.
Without this, the function becomes a simple .get_rules_clean() call
which can easily be inlined into write_piece() at the two places where
it's called.
... but not for abi rules, which (according to the simple_tests
profiles) do not share these bugs)
For unquoted paths, make sure that the path doesn't include whitespace.
... because after the previous three commits, nothing reads/needs this
anymore
Note: file_name in ask_exec() was only used in the (dropped) filelist
usage.
Instead of checking filelist[file]['profiles'] for duplicate hats, check
profile_data[profile][hat].
With this, the duplicate hat check is done in the same way as the check
for duplicate profiles and child profiles.
Also add tests for duplicate child profiles and duplicate hats.
Using a list as parameter for subprocess.call is more secure, and avoids
funny problems if the filename to display contains spaces or other funny
characters.
Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!514
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
... which can mean "too late" in some special cases (if a profile
already exists in /etc/apparmor.d/$non_default_filename).
However, the main reason is that without this change
- the new profile will be added to (otherwise empty) active_profiles
- the first do_logprof_pass() will read all profiles, including the new
one, and add them to active_profiles - which unsurprisingly results in
an error like `ERROR: Profile /usr/sbin/vsftpd exists in
/etc/apparmor.d/usr.sbin.vsftpd and /etc/apparmor.d/usr.sbin.vsftpd`
To fix this,
- change do_logprof_pass to never call read_profiles() (and get rid of
the 'passno' parameter)
- adjust its callers (aa-logprof and aa-genprof) to call read_profiles()
themself
- move printing the 'Updating AppArmor profiles in $directory.' message
to read_profiles(), but only display it if requested (to keep the
current UI behaviour)
Since 4b7108f1e5, aa-genprof and
aa-autodep crashed with
apparmor.common.AppArmorBug: /etc/apparmor.d/usr.sbin.vsftpd not listed in ProfileList files
because the profile was not added to active_profiles.
Add the profile to active_profiles to fix this regression, and to have
all the needed data in active_profiles.
The profile repo is dead since years and most likely won't come back, so
there's no point in keeping and maintaining the code for uploading and
downloading profiles.
Add support for handling `include if exists` rules in profile preambles in the `ProfileList` class.
Besides that, do some groundwork for future changes - see the individual commits for details and spoilers ;-)
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/507
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Move suggested bug reporting from launchpad to gitlab
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
- add_inc_ie() stores include and include if exists rules
- get_clean() and get_raw() return the profile preamble (currently only
the include rules)
Also add tests for the new functions.
This is similar to get_clean(), but keeps the original rule order
instead of sorting them.
This is useful for include rules in the preamble, where the order might
be relevant - for example if the first include defines a variable that
is then used or extended in the second include file.
Merge branch 'cboltz-profile-list-rename-add' into 'master'
See merge request apparmor/apparmor!502
Acked-by: Steve Beattie <steve.beattie@canonical.com>
