Convert the signal parse tests to use common AAParseTest super class in
common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the ptrace parse tests to use common AAParseTest super class
in common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the pivotroot parse tests to use common AAParseTest super
class in common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the mount parse tests to use common AAParseTest super class in
common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the DBUS parse tests to use common AAParseTest super class in
common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch abstracts out parse tests into a super class to inherit from
and converts the af_unix parse tests to use the super class.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The patch that adds support for af_unix rules added a _Raw_Rule base
class to inherit from in rules.py. This patch converts the rest of the
raw rules classes to use the same.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch moves the assignment of the regex function into the unittest
setUp() function rather than at script load time. If for some reason
the python utils library does not define the relevant function, without
this patch the script fails entirely; with it, each individual test
class that depends on the missing regex will fail each test case.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds limited support for af_unix rules in the python
utilities, of the "don't touch them, but don't throw a python backtrace
when coming across them, either" variety. Testcases are added as well.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
add a add_to_options() helper function to aa.py which
- adds newpath to options if it's not already there
- returns the updated options and the index of newpath
This removes duplicated code for CMD_GLOB and CMD_GLOBEXT in
ask_the_question()
It also adds duplicate prevention to CMD_NEW.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
When reaching EOF while still in a profile (syntax-wise), there are two
possible reasons:
- missing "}"
- missing "," in the last rule (which means that, thanks to multiline
rule handling, the "}" is considered to be part of the last rule)
This patch improves the error message in aa.py to cover a missing ","
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
but should look for '//null-' instead.
Also remove some code duplication by merging with the next condition,
which executes the same self.add_to_tree code.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 126, in check_for_LD_XXX
for line in f_in:
[...]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xf8 in position 40: ordinal not in range(128)
While on it, also replace usage of the "found" variable by "return"
statements, which should bring a small performance improvement - if we
have a match, it's superfluous to continue searching.
The patch also adds me to the copyright header ;-)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
- allow users to merge two profiles (2-way merge) using aa-mergeprof by
making the third profile optional
- re-enable code that cleaned up base and other profile and using it in
deleted count (was disabled due to pyflakes thinking it was unused)
Patch by Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adjusts the verbosity of several of the utils tests,
to make them all consistently verbose.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
tree python modules.
Also remove "sys.path.append('../')" (and now-unused "import sys") from
all tests that contain it for consistency and to make testing with the
installed modules possible (even if we don't have a USE_SYSTEM option
yet).
Acked-by: Steve Beattie <steve@nxnw.org>
saving the remaining profile after using "save selected profile".
When using "save selected profile", write_profile() (called by
write_profile_ui_feedback()) does "changed.pop(profile_name)".
However, saving the remaining profiles in save_profiles() uses a cached
version of changed.keys() and therefore tries to save a profile that
was already saved and is no longer part of "changed".
Also remove two commented lines we'll never need again:
- #changed.pop is done in write_profile()
- q['options'] is set some lines above
References: https://bugs.launchpad.net/apparmor/+bug/1341178
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds the new capability CAP_AUDIT_READ, added in the 3.16
kernel, to the utils severity.db. I set the severity level at 7,
since it seemed to offer less exposure than CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE, which are both considered severity 8.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
testcases) to
- sleep 10 seconds after each failed test to make failures more annoying
^W^W^W^Wgive people a chance to read failure details
- print a list of failed tests at the end
Also avoid duplicate code by letting runtests-py2.sh call runtests-py3.sh.
Acked-by: Steve Beattie <steve@nxnw.org>
LOG_MODE_RE is also defined (and used) in aamode.py.
This patch removes the superfluous definition from logparser.py.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch improves the error messages in aa.py store_list_var() to make
debugging of profile syntax problems easier. It also adds an additional
parameter for the profile filename (used in the error message)
Acked-by: Steve Beattie <steve@nxnw.org>
This patch fixes a crash in aa-complain when a profile name is quoted.
It also makes sure aa-complain actually adds the complain flag in such
cases. (aa-enforce etc. will also benefit from this fix.)
Note: superfluous quotes will be removed when saving the profile (for
example with aa-cleanprof), but they are kept if needed, like in
profile "/bin/foo bar"
(tested with aa-complain and aa-cleanprof - and also with "rcapparmor
reload", where the initscript bailed out because my profile filename
contained a space...)
The patch also adds some TODO notes.
References: https://bugs.launchpad.net/apparmor/+bug/1296218
Acked-by: Steve Beattie <steve@nxnw.org>.
When creating a child profile while using genprof, I get a backtrace:
Traceback (most recent call last):
File "aa-genprof", line 160, in <module>
lp_ret = apparmor.do_logprof_pass(logmark, passno)
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2291, in do_logprof_pass
save_profiles()
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2309, in save_profiles
for prof_name in changed.keys():
RuntimeError: dictionary changed size during iteration
(See https://bugs.launchpad.net/apparmor/+bug/1014304 for more details.)
After digging into the code, it seems for some reason the child profile
is added to "changed" - I doubt this is correct (guess why it's removed
later... ;-)
After digging a bit more, I found out that create_new_profile() is
(ab)used to create a new stub profile to be used as child profile.
create_new_profile then adds the new child (which looks like a normal
profile to it) to "changed".
This patch most probably makes the cleanup round in save_profile()
superfluous by adding a is_stub parameter to create_new_profile(). If
this parameter is set, the new (child) profile is not added to "created"
and "changed".
I intentionally added the two print() lines in safe_profile because
a) I think they will never be displayed
b) I want to know if a) is wrong ;-)
c) it's always nice to have a "nice" error message before displaying
a backtrace ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
(unlimited) because the "if not value:" check matches 0.
This patch replaces the check with "... is None".
It also prints a warning if the old value is None (could in theory
happen if reading the old value failed).
Acked-by: Steve Beattie <steve@nxnw.org>. Thanks.
preprocessor and is not as thorough as -QTK (--skip-kernel-load,
--skip-read-cache, --skip-cache). Like with '-p', '-QTK' can be run without
privilege but it will catch things like conflictings 'x' modifiers.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1325109
The parser will accept rules with either umount or unmount rule types.
The utils should follow suite.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
- convert "tail" result from byte to string to avoid TypeError crash
- use apparmor.filename instead of hardcoded /var/log/audit/audit.log
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
(in a more serious version: add some tests for dbus, *mount, signal,
ptrace and pivot_root and make sure a space after the keyword is enforced.
The tools shouldn't accept a "dbusdriver" or "pivot_rootbeer" rule. ;-)
Acked-by: Tyler Hicks <tyhicks@canonical.com>
(dbus, *mount, signal, ptrace, pivot_root) except if the line only
contains the bare keyword.
Note that in most cases (except *mount) I used an alternation - this has
the advantage that it doesn't change the match group numbering, with the
small disadvantage of having to mention the keyword twice in the regex.
I chose this way to avoid that I have to change lots of other places and
possibly introduce bugs by overlooking something.
For the *mount rules, I read the code - it shouldn't need any changes
because it uses only matches[0..2]
Acked-by: Tyler Hicks <tyhicks@canonical.com>
