logparser.py puts each log event on a big "stack" in self.pid. Later,
handle_children() in aa.py then converts that (named 'log' in aa.py) to
the prelog hasher.
This commit changes logparser.py to create the prelog structure itsself
(named hashlog), which
- removes one level of indirection
- probably saves some memory because the hashlog automatically
de-duplicates events
This commit does this for capability, network and signal events, and
adds the infrastructure needed for all event/rule types.
In aa.py, the new function handle_hashlog() copies the hashlog content
to prelog. OTOH, the now superfluous code handling capability, network
and signal events gets removed from handle_children().
Long-term, hashlog will replace log in aa.py. When this is done,
handle_hashlog() will be replaced by a simple prelog = hashlog.
logparser.py gets a new function init_hashlog() to initialize hashlog
for each profile. It also gets changed to store capability, network and
signal events into hashlog instead of storing them in self.pid.
hashlog uses the full profile name as key, which is the first baby step
to support nested child profiles. (for now, handle_hashlog() still
splits the profile name into profile and hat.)
Known issue: The new implementation doesn't handle exec yet, which means
that events get lost at the exec boundary (= in cases aa-logprof asks
which execute mode to use). This will be fixed in a later commit.
This function was meant to set a process running under a null-* profile
to its "real" profile after deciding about the exec mode/target.
However, this is not supported in the kernel.
"Luckily" the function was also broken and exited early, which
successfully prevented erroring out.
All that means set_process() is useless and we can drop it.
logparser cleanup
- drop old commented out code
- inline two small functions into the places calling them to make the callstack smaller and easier to understand
- rename 'netdomain' log events to 'network' to match rule name
- handle_children: raise exception on unknown event type
As usual, reading the individual commits makes the changes easier to understand.
See merge request apparmor/apparmor!374
Acked-by: Seth Arnold <seth.arnold@canonical.com>
parser/rc.apparmor.functions: fix minor issues detected by shellcheck/shellharden
See merge request apparmor/apparmor!370
Acked-by: Christian Boltz <apparmor@cboltz.de>
The apparmor.d manpage listed 'to' as an alternative for '->' in link
rules.
However, the parser doesn't accept 'to', none of our examples and tests
include it, and nobody ever complained about it. Therefore I'll call
this a documentation bug ;-) and simply adjust the manpage to only list
'->' as valid syntax.
Fix error 'KeyError: 'logfiles'' when no logprof.conf exists
See merge request apparmor/apparmor!365
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
- Code layout based on aa-genprof example
- Extend Python dependencies to cover new need by aa-notify
- Update documentation after aa-notify is no longer in Perl
Related to #22.
Fixes error message:
Traceback (most recent call last):
File "./aa-notify", line 523, in <module>
main()
File "./aa-notify", line 399, in main
aa.set_logfile(args.file)
File "/home/otto/koodia/apparmor/utils/apparmor/aa.py", line 1762,
in set_logfile
print(conf.find_first_file(cfg['settings']['logfiles']))
File "/usr/lib/python3.6/configparser.py", line 1233, in __getitem__
raise KeyError(key)
KeyError: 'logfiles'
Add tests for shared aa library functions used in command line scripts
See merge request apparmor/apparmor!328
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add some tests with the complex profile name (including alternations and
wildcards) to ensure we don't break such cases in the future.
These tests are based on the log from the (invalid) bugreport
https://gitlab.com/apparmor/apparmor/issues/26
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
base abstraction: allow mr on *.so* in common library paths.
For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:
ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
Bug-Tails: https://redmine.tails.boum.org/code/issues/16414
Candidate for master and 2.13.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
Signed-off-by: John Johansen <john.johansen@canonical.com>
