Without it, aa-disable
- didn't error out when hitting a broken profile directory
- didn't find a profile if it doesn't use the default naming scheme
(for example /bin/true profile hiding in bin.false)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
aa-status was crashing when parsing through /proc/mounts looking to see
if and where the securityfs synthetic file system is mounted if there
was a mount point that contained characters outside of the charset in
use in the environment of aa-status. This patch fixes the issue by
converting the read of /proc/mounts into a binary read and then uses
decode on the elements.
Patch by Alain BENEDETTI.
Acked-by: Steve Beattie <steve@nxnw.org>
As a follow-up to the logparser.py change that converts disconnected
path events to an error, add a testcase to test-logparser.py.
Acked-by: Steve Beattie <steve@nxnw.org> for both trunk and 2.9.
The upcoming function parse_profile_start() (which is a wrapper around
the updated RE_PROFILE_START, and will live in regex.py) needs
strip_profile(), but importing it from aa.py fails with an import loop.
Therefore this patch moves strip_quotes() from aa.py to regex.py and
re-imports it into aa.py.
As a bonus, the patch also adds some tests for strip_quotes() ;-)
Also add TestStripQuotes to the test_suite list because it won't run
otherwise.
Acked-by: Steve Beattie <steve@nxnw.org> for both trunk and 2.9
Move the code for parsing the profile start ("/foo {") from aa.py
parse_profile_data() to a separate function parse_profile_start().
Most of the changes are just moving around code, with some small
exceptions:
- instead of handing over profile_data to parse_profile_start() to
modify it, it sets two variables (pps_set_profile and
pps_set_hat_external) as part of its return value, which are then
used in parse_profile_data() to set the flags in profile_data.
- existing_profiles[profile] = file is executed later, which means
it used the strip_quotes() version of profile now
- whitespace / tab level changes
The patch also adds some tests for the parse_profile_start() function.
Acked-by: Steve Beattie <steve@nxnw.org>
Also adds a check to get_profile_flags() to catch an invalid syntax:
/foo ( ) {
was accepted by get_profile_flags, while
/foo () {
failed.
When testing with the parser, both result in a syntax error, therefore
the patch makes sure it also fails in get_profile_flags().
Acked-by: Steve Beattie <steve@nxnw.org>
This means that aa-logprof will ignore the event instead of crashing with
AppArmorException: 'Unexpected rank input: var/run/nscd/passwd'
Note that I made the check as specific as possible to be sure it doesn't
hide other events.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=918787
Acked-by: Steve Beattie <steve@nxnw.org>
Also update test-capability.py - it contains a test that needs
'error_code': 0,
added to avoid a failure.
Patch by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Remove the check if the disable directory exists. If it's really
missing, it will be auto-created by create_symlink(), so we
automagically fix things instead of annoying the user with an
error message ;-)
Acked-by: Steve Beattie <steve@nxnw.org> for both trunk and 2.9.
Make sure most tools (for example aa-complain) don't error out if
no logfile can be found. (For obvious reasons, aa-logprof and
aa-genprof will still require a logfile ;-)
This is done by moving code from the global area in aa.py to the new
function set_logfile(), which is called by aa-logprof and aa-genprof.
While on it,
- rename apparmor.filename to apparmor.logfile
- move the error handling for user-specified logfile from aa-genprof
and aa-logprof to aa.py set_logfile()
Note: I'd have prefered to hand over the logfile as parameter to
do_logprof_pass(), but that would break last_audit_entry_time() in
aa-genprof which requires the log filename before do_logprof_pass()
is called.
References: https://bugs.launchpad.net/apparmor/+bug/1423702
Acked-by: Seth Arnold <seth.arnold@canonical.com>
libapparmor _aa_is_blacklisted() - some extensions were missing in the
python code.
Also make the code more readable and add some testcases.
Notes:
- the original code additionally ignored *.swp. I didn't include that -
*.swp looks like vim swap files which are also dot files
- the python code ignores README files, but the C code doesn't
(do we need to add README in the C code?)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk
Acked-by: Steve Beattie <steve@nxnw.org>
string or if a mode_char is not in MODE_HASH.
Also update the testcase for "asdf42" (which raises AppArmorBug now)
and add a test that simulates MODE_HASH and MODE_MAP_SET getting out
of sync (tests the second part of the if condition).
Acked-by: Steve Beattie <steve@nxnw.org>
Since the Makefile cleanup, the _clean target is only used to delete
manpages etc. generated from *.pod files.
This patch renames the _clean target to pod_clean to make it obvious
what it does.
Acked-by: John Johansen <john.johansen@canonical.com>
- drop the symlink magic of the common/ directory, and just include
files directly from there.
- update comments indicating required steps to take when including
common/Make.rules
- drop make clean steps that refer to no longer generated tarballs,
specfiles, and symlinks to the common directory/Make.rules.
- don't silence clean steps if VERBOSE is set
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de>
https://bugs.launchpad.net/apparmor/+bug/1399027
Also move some existing tests from aa_test.py to test-logparser.py and
adds checks for RE_LOG_v2_6_audit and RE_LOG_v2_6_syslog to them.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
Split is_covered() in capability.py into
- is_covered_localparts() for rule-specific code
- is_covered() for common code - located in __init__.py
The object type comparison now uses type(self) and a slightly different
error message to make it usable everywhere.
Also rename rule_obj to other_rule which is more self-explaining
(inspired by the parameter name in the is_covered() dummy in __init__.py).
v2:
- remove check_allow_deny and check_audit parameters from
is_covered_localvars()
Acked-by: Steve Beattie <steve@nxnw.org>
If one of the testcases fail, this goes unnoticed in "make coverage".
This patch changes the Makefile so that test failures let
"make coverage" fail.
You can use make COVERAGE_IGNORE_FAILURES=true coverage to build
coverage data even if some tests fail.
Signed-off-by: Steve Beattie <steve@nxnw.org>
(which was most probably meant as an Acked-by)
Also Acked-by: <timeout> ;-)
For reasons that are unclear, python's setuptools doesn't install
recursively from a directory, meaning that on make install, the new
Rules/Ruleset classes were not being installed. This patch causes
the rule subdirectory to be included.
Bug: https://bugs.launchpad.net/bugs/1407437
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
adds some tests for severity.py and improves the test coverage to
nearly 100% (only 3 partial left).
Added tests and details (all in SeverityVarsTest):
- move writing the tunables file from setUp() into _init_tunables() for
more flexibility (allows to specify other file content)
- test adding to a variable (+=)
- test #include
- make sure double definition of a variable fails
- make sure redefinition of non-existing variable fails
BTW: even the comment added to VARIABLE_DEFINITIONS contributes to
the coverage ;-)
severity.py passes all added tests, however I should note that including
a non-existing file is silently ignored.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This patch hides raw_rule within the BaseRule class by making parse() be
a class method for all the rule types, implemented via a rule-specific
abstract method _parse() that returns a parsed Rule object.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch integrated the new capability rule class into aa.py and
cleanprof.py.
Patch changes:
v6:
- fix logic around same_file in cleanprofile.py that was causing
capabilities to be deleted when they weren't covered by an
abstraction.
v5:
- merge my changes into Christian's original patches
- use CapabilityRule.parse() for parsing raw capability rules and
getting a CapabilityRule instance back
- cope with move of parse_modifiers back into rule/__init__.py.
Originally-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Patch changes:
v5:
- merge my changes into Christian's original patches
- update to use CapabilityRule.parse() as the entry point for
parsing raw rules and getting a CapabilityRule instance in
return.
Originally-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds four classes - two "base" classes and two specific for
capabilities:
utils/apparmor/rule/__init__.py:
class base_rule(object):
Base class to handle and store a single rule
class base_rules(object):
Base class to handle and store a collection of rules
utils/apparmor/rule/capability.py:
class capability_rule(base_rule):
Class to handle and store a single capability rule
class capability_rules(base_rules):
Class to handle and store a collection of capability rules
Changes:
v5:
- flattened my changes into Christian's patches
- pull parse_modifiers into rule/__init__.py
- pull parse_capability into rule/capability.py
- make CapabiltyRule.parse() be the class/static method for parsing
raw capability rules.
- parse_capability: renamed inlinecomment and rawrule to comment
and raw_rule to be consistent with CapabilityRule fields.
Originally-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
When using recursive_print for debugging, RawRules objects weren't
reporting detailed information. This patch fixes that, as well as fixing
some indenting issues in the output.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Those *.spec{,.in} files were not updated for years (last change
2006/2007) and don't fit the current "one tarball for everything" model.
Acked-by: Steve Beattie <steve@nxnw.org>
LOG_MODE_RE (used in validate_log_mode() in aamode.py) just checked if
the given parameter contains one of the possible matches. This resulted
in "invalid" being a valid log mode (from audit.log requested_mask or
denied_mask) because it contains 'a', which is a valid file mode.
This patch wraps the regex into ^(...)+$ to make sure the full
string contains only allowed file modes.
The patch also adds some tests for validate_log_mode().
Acked-by: Steve Beattie <steve@nxnw.org>
aa.py uses profile_data[profile][hat]['change_profile'] at various
places. However, there are also two places that use 'changes_profile'
(note the additional 's'), which should also be 'change_profile'.
Acked-by: Steve Beattie <steve@nxnw.org>
This patch converts a ValueError raised when parsing of a permission
mode fails into an AppArmorBug with better diagnostic information, and
adds a test case to confirm that the exception is raised.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Also change check_for_apparmor() to allow easier testing by optionally
specifying alternative locations for /proc/filesystems and /proc/mounts
as parameter.
Note that the code in check_for_apparmor() differs from what the comment
says - valid_path() only does syntax checks, but doesn't check if the
directory exists. I added a comment saying exactly that.
Acked-by: Steve Beattie <steve@nxnw.org>
- replace MODE_MAP_RE regex with MODE_MAP_SET set
- change sub_str_to_mode() to use MODE_MAP_SET set instead of MODE_MAP_RE
- change split_log_mode to use split() instead of a regex
Patch by Peter Maloney <peter.maloney@brockmann-consult.de>
Acked-by: Christian Boltz <apparmor@cboltz.de>
split_log_mode() change also
Acked-by: Seth Arnold <seth.arnold@canonical.com>
performance improvement
Patch by Peter Maloney <peter.maloney@brockmann-consult.de>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(previous patch version (with minor difference) also
Acked-by: Seth Arnold <seth.arnold@canonical.com>)
interpreters, it used
aa[profile][hat]['path'][interpreter_path]['mode']
instead of
aa[profile][hat]['allow']['path'][interpreter_path]['mode']
The ['allow'] part was missing.
Acked-by: Steve Beattie <steve@nxnw.org>
This patch pulls out all the common processing for writing out
each of the prior segments that need to be written before writing
the current segment into a function called 'write_prior_segments',
reducing a bunch of ugly duplication.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The assignment for setting segments['include'] = True was wrong,
it occured inside the 'if not segments['include'] and True in
segments.values():' block, whereas it needed to always get set outside
of that if test.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch
- fixes a check that used if "aa[profile][hat][incname]:" instead of
"if aa[profile][hat]['include'].get(incname, False):" ("['include']"
was missing) which means the performance shortcut was never hit
- avoids auto-created empty and superfluous hashers in
aa[profile][hat]['allow']['path'] and
include[incfile][incfile][allow]['path']
- adds the filename to the "Can't find system log" exception
Patch by Peter Maloney <peter.maloney@brockmann-consult.de>
Changes compared to the original patch:
- change back quoting in the exception message to '...'
Acked-By: Christian Boltz <apparmor@cboltz.de>
present as a function (which it is not in Python3, even though it was
under an if else python version check).
The following patch:
- checks the __builtins__ module for existence of raw_input and sets
it up for Python3
Acked-by: Steve Beattie <steve@nxnw.org>
