If the old flags are given as str (or None), call split_flags() to
convert them to a list.
This allows to simplify change_profile_flags() which now doesn't need to
call split_flags() on its own.
Also add some tests with a str for the old flags
... instead of set_profile_flags() to keep possibly existing flags like
attach_disconnected.
Note that this function is unused (meant to be used with the
no-longer-existing profile repo), therefore nobody noticed that
set_profile_flags() was called with the wrong number of parameters ;-)
'case OPTION_OFILE' missed the 'break', which means if did fallthrough
to the default case.
Adding the 'break' means no longer executing another PERROR, and no
longer executing the 'exit(1)' in the default branch.
References: coverity #55994
Add kernel patches that will NEVER be sent upstream. These provide abi
compatibility with the v2.x network and af_unix rules.
The 4.17 network mediation pull request deliberately broke abi
compatibility with the v2.x rules, and these are provided so that
distros who shipped the v2.x compatible patches can provide new
kernels on older releases that require v2.x network support.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Note that NO_FLAGS was an inverse option, therefore
- NO_FLAGS was changed to FLAGS (also in sync_profile() which is the
only caller that sets FLAGS)
- the default for include_flags (if FLAGS is not set) is True
Add mesa abstraction to allow writing to the Mesa-specific cache
locations and listing devices. Abstraction is needed for applications
utilizing OpenGL API with Mesa implementation available on the system.
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!131
Acked-by: John Johansen <john.johansen@canonical.com>
The tools can't handle nested child profiles yet. Instead of failing
in funny[tm] ways (parse_profile_start() only returned the first two
segments of the profile name) better error out with a clear message.
The initial apparmor.service assumed the profile cache is in
/var/lib/apparmor/ which was an openSUSE-specific path that was chosen
for historical reasons, but was far from perfect.
In the meantime, the profile cache moved to /var/cache/apparmor/ and the
read-only/packaged version was added in /usr/share/apparmor/cache/
This commit adjusts apparmor.service to use these paths.
These tests verify that
- _is_equal_aare() really raises an exception when it sees an invalid
combination of other_value and other_all
- BaseRuleset.__repr__() works as expected
As a side effect, this commit pushes the test coverage of
apparmor/rule/__init__.py to 100% ;-)
... which is unused since the last commit.
Also delete several functions that were only used by this function:
- write_change_profile()
- write_rlimits()
- write_capabilities()
- write_netdomain()
- write_dbus()
- write_signal()
- write_ptrace()
- write_file()
Finally, no longer import some functions from profile_storage:
- write_links
- write_mount
- write_pivot_root
- write_unix
BTW: Deleting these 460 lines improves test coverage of aa.py from
38% to 44%, and total test coverage from 63% to 66% :-)
- rename prof_data parameter to ref
- drop empty allow, prefix and tail, and their usage in the format
string
- inline sep into the format string
- replace usage of fn with the actual function name (var_transform)
This is needed to get a reproducible output.
Also adjust the tests in test-profile-storage.py and add some example
variable to cleanprof.in and cleanprof.out
