The TODO in write_rules() was long solved - remove the safety net type
check, it's no longer needed.
Without this, the function becomes a simple .get_rules_clean() call
which can easily be inlined into write_piece() at the two places where
it's called.
Replace usage of filelist\[file_name\]\['profiles'\] with the `active_profiles` ProfileList which already has the same data.
Add `profiles_in_file()` to ProfileList as a nice interface to get the list of profiles in a file.
For more details, check the individual commits.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/523
Avked-by: John Johansen <john.johansen>
... but not for abi rules, which (according to the simple_tests
profiles) do not share these bugs)
For unquoted paths, make sure that the path doesn't include whitespace.
Make the error and warning message tests a first class test script; in
gitlab CI, failures would not necessarily result in output being
captured.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/522
Don't commingle stderr and stdout by default, and provide a
function that provides the exit value, stderr, and stdout as a
tuple. Also, expect UTF-8 output by default from the commands (with
universal_newlines), rather than bytes.
(Nifty commands like subprocess.run() weren't added to python until
python 3.5.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/522
... because after the previous three commits, nothing reads/needs this
anymore
Note: file_name in ask_exec() was only used in the (dropped) filelist
usage.
Instead of checking filelist[file]['profiles'] for duplicate hats, check
profile_data[profile][hat].
With this, the duplicate hat check is done in the same way as the check
for duplicate profiles and child profiles.
Also add tests for duplicate child profiles and duplicate hats.
Using a list as parameter for subprocess.call is more secure, and avoids
funny problems if the filename to display contains spaces or other funny
characters.
Fix signed/unsigned comparison warnings, and silence unused parameter
warnings due to the "cleverness" of the function pointer array and
wanting to print out the command as invoked in the usage statement.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://gitlab.com/apparmor/apparmor/-/merge_requests/517
Separate out the aa-status json version info out from being a magic
element embedded in a string in the middle of the json emitter, and move
it to an early location, along with a comment to edit it whenthe format
changes.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://gitlab.com/apparmor/apparmor/-/merge_requests/517
Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!514
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
... which can mean "too late" in some special cases (if a profile
already exists in /etc/apparmor.d/$non_default_filename).
However, the main reason is that without this change
- the new profile will be added to (otherwise empty) active_profiles
- the first do_logprof_pass() will read all profiles, including the new
one, and add them to active_profiles - which unsurprisingly results in
an error like `ERROR: Profile /usr/sbin/vsftpd exists in
/etc/apparmor.d/usr.sbin.vsftpd and /etc/apparmor.d/usr.sbin.vsftpd`
To fix this,
- change do_logprof_pass to never call read_profiles() (and get rid of
the 'passno' parameter)
- adjust its callers (aa-logprof and aa-genprof) to call read_profiles()
themself
- move printing the 'Updating AppArmor profiles in $directory.' message
to read_profiles(), but only display it if requested (to keep the
current UI behaviour)
Since 4b7108f1e5, aa-genprof and
aa-autodep crashed with
apparmor.common.AppArmorBug: /etc/apparmor.d/usr.sbin.vsftpd not listed in ProfileList files
because the profile was not added to active_profiles.
Add the profile to active_profiles to fix this regression, and to have
all the needed data in active_profiles.
There are no bashisms in the minimize.sh test script, so convert to
using to /bin/sh
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/issues/18
