This commit renames the unit test script for the severity db so that it
will be included in the 'make check' and 'make coverage*' targets.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch fixes Severity.__init__() when it is not given an argument to
raise an AppArmor exception rather than returning a Severity object in
an incompletely initialized state. It also adjusts a test case covering
this situation.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch is a re-work of the severity_test.py tests, to break them
up into individual unit tests, and to add coverage for detecting
an invalid severity database (it does reduce the coverage for walking
profiles to find variable declarations, but that should be pulled out of
the severity handling code anyway).
Note that the last test case will fail, because even though the code
path in Severity.__init__() looks like it will return None if no path
is given, a Severity object in a half-state of initialization will
actually be returned.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
for r2769, which only checked for "exists")
Also allow everything except directories as logfile argument in
aa-genprof.
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds support for generating test coverage information for the
python utils.
To view a text based report, in the test subdirectory do:
make coverage-report
To generate detailed html reports, do:
make coverage-html
And then point your web browser at
$(YOUR_CURRENT_WORKING_TREE)/utils/test/htmlcov/index.html .
An alternate output location can be specified by setting the
COVERAGE_OUT variable, e.g.
make coverage-html COVERAGE_OUT=/tmp/coverage/
(the output directory does not need to exist beforehand.)
To generate only the coverage data, do:
make coverage
or
make .coverage
(The coverage data generated by python is stored in the .coverage
file.) This essentially runs make check, using a single python
interpreter, and records which lines and branches of the python code
were exercised.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
From: Peter Maloney <peter.maloney@brockmann-consult.de>
This patch allows the common idiom 'aa-logprof -f <(SOME COMMAND)' to
work,
Acked-by: Steve Beattie <steve@nxnw.org>
This patch moves the declaration of phony and quieted make targets
to a single section, to avoid repeated lines. It's not so useful
for just two targets, but future patches will add more targets with
similar attributes.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Both valgrind and strace report the parser doing
close(-1) = -1 EBADF (Bad file descriptor)
This happens the skip kernel load argument is specified in combination
with any of --add, --replace, or --remove arguments (the default
is --add if no other option is specified).
This happens when the parser is not processing profiles but not
writing them out (eg. no kernel load, dump to stdout, file ...)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
netrules_access_check() in aa.py checks if
type(netrules['rule'][family]) == dict
however this check always returns false (at least with py3, I didn't
test with py2).
This broken type check is the reason for
https://bugs.launchpad.net/apparmor/+bug/1380368
aa-logprof doesn't propose abstractions for network rules
and
https://bugs.launchpad.net/apparmor/+bug/1380367
aa-logprof asks for already existing network rules
which are both fixed with this patch.
The type check is needed because netrules['rule'][family] can be
boolean True (for rules like "network inet,") - see line 2994.
The sock_type in .... .keys() check is there to ensure the hasher doesn't
automagically add an empty sub-dict, which caused the regression in the
first version of my patch.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
match_net_includes() in aa.py gets "nettype" as parameter, but then uses
"type" when calling valid_include(). "type" is a global variable, but not
what we want to use here ;-)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Update the apparmor_parser documentation for the new ability to load
profiles from a specified directory.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1366572
In the move of the apparmor.vim manpage source from the parser
directory to utils/vim/, the creation of the html version of the
manpage was lost. This patch fixes that, as well as fixes the vim
Makefile to use the common/Make.rules _clean target (which clears the
pod2htm*.tmp files created by pod2html as well).
It also fixes a bug in common/Make.rules where the _clean target
would report an error when used in a directory where the Makefile
doesn't set the NAME variable, such as utils/vim/.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
- change --help for files - "Profile(s) to merge" instead of "base profile"
- display the profile to save when asking to save it
- disable searching for existing network rules in abstractions because
it crashes. This doesn't hurt too much, see
https://bugs.launchpad.net/apparmor/+bug/1382241
Acked-by: Steve Beattie <steve@nxnw.org>
- remove some debug output (which Kshitij intentionally kept in the
draft patch)
- add a UI_Info to display which profile will be merged
- disable the mergeprofiles.clear_common() call because it crashes
(https://bugs.launchpad.net/apparmor/+bug/1382236)
- disable (M)ore (CMD_OTHER) because it crashes
- make (F)inish work everywhere
- change the help text so that it doesn't mention 3-way-merge until we
implement it
The python utils didn't know about the hat keyword, for example
hat foo {
This patch changes RE_PROFILE_HAT_DEF to add support for the hat keyword.
Note that this patch only changes profile reading - when saving a
profile, the ^foo syntax will always be used.
While on it, also convert the regex to named matches - the result
numbering changed anyway ;-)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This is the rebased version of the patch by
Kshitij Gupta <kgupta8592@gmail.com>
(mostly) original patch description:
Changes to facilitate 2-way merge (maybe also 3-way) of multiple
profiles as discussed on IRC
This patch
- moves reset method to reset_aa function
- modifies message displayed to user
- allows processing of multiple files in 2-way merge
- disables 3-way merge till new syntax has been decided
The changes reflect the approach of providing arbitrary number of
files using wildcards or explicitly.
The changes map the profiles in the given files to their respective
files in the local directory specified using -d. Then the merges take
place profile-wise.
Acked-by: Steve Beattie <steve@nxnw.org>.
When adding inet rules in aa-logprof, it crashes with
IndexError: list index out of range
The reason is that it doesn't display the options if only the raw rule
is available (aka "no abstraction").
This patch checks if options[] is set and otherwise sets selection to
the raw rule.
Acked-by: Steve Beattie <steve@nxnw.org>
After several hours of debugging on IRC and flooding paste.opensuse.org ;-)
I finally found the reason - reading(!) from log_dict with a wrong
key caused the creation of that strange mode in log_dict.keys().
While finding that bug was very hard, the fix is easy - just replace
"profile" with "aamode". (That probably makes one char per hour of
debugging...)
To improve that ratio, also add a warning to common.py so that this
interesting[tm] behaviour of hasher() is at least documented.
Acked-by: Steve Beattie <steve@nxnw.org>
...
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, in handle_variable_rank
variable = regex_variable.search(resource).groups()[0]
AttributeError: 'NoneType' object has no attribute 'groups'
handle_variable_rank() checked with if '@' in resource:
and if it finds it, expects it can match a variable, which means @{.....}
If a filename contains a @ this fails.
The patch fixes the if condition so that it does a regex match.
It also adds two testcases for filenames containing @ to make sure they
don't cause a crash and result in the exptected severity rank.
Acked-by: Steve Beattie <steve@nxnw.org>
aa-cleanprof (and others?) duplicate quotes in file rules.
If a profile contains
"/bin/foo bar" mrix,
and I run aa-cleanprof on it several times, I end up with
""""""/bin/foo bar"""""" mrix,
This patch calls strip_quotes on the pathname.
(If needed, the quotes are re-added when writing the profile - tested
with aa-cleanprof.)
References: https://bugs.launchpad.net/apparmor/+bug/1328707
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This patch changes open_file_read() and open_file_write() to use
errors='surrogateescape' (with fallback to 'replace' for py2).
This avoids a crash when reading a logfile with special characters that
are not utf8-encoded (for example a latin1 "ö"), and also avoids crashes
at several other places we don't know yet ;-)
The patch also changes open_file_read() and open_file_write() to wrapper
functions, and moves the "real" code to the new open_file_anymode()
function.
Also, I removed the try/except - it's superfluous because it throws the
exception without any modifications.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This patch reverts commit 2131 which added support for the newer apache
2.4 ap_hook_check_access_ex() api, based on a report from Christian that
it broke apache's simple authentication.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
With the two recent unix socket test patches to mark dgram tests as
failing but expected to pass, I realized that there's no indication
in the output that there are current expected failures (except for
the single corefile test expected failure)[0]. This patch attempts to
remedy that by emitting the x-type plus the test description for each
test that is marked as such. I've set it to always emit these results.
[0] The test infrastructure does give an alert if there is a test that
has been marked xpass or xfail but has started behaving correctly.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
It's not been tracked down in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373172 why
this is happening, but the current unnamed unix socket dgram tests
are failing when only the server is confined, and the peer label is
given as only the confining profile (the stream and seqpacket dgram
tests/permissions don't seem to trigger this revalidation rejection).
Until this bug is diagnosed and addressed, mark these tests as failing
but expected to pass (i.e. 'xpass').
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
With the addition of the unix socket mediation and
corresponding tests, there are currently two tests that fail
in unix_socket_pathname.sh. These have been recorded as bugs
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373174 and
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373176 but John
has not had time to investigate if these are legitimate bugs. The
following patch marks the tests as expecting to pass but currently
failing.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently the apparmor parser warns about rules that are not enforced or
downgraded. This is a problem for distros that are not carrying the out of
tree kernel patches, as most profile loads result in warnings.
Change the behavior to not output a message unless a warn flag is passed.
This patch adds 2 different warn flags
--warn rule-downgraded # warn if a rule is downgraded
--warn rule-not-enforced # warn if a rule is not enforced at all
If the warnings are desired by default the flags can be set in the
parser.conf file.
v2 of patch
- update man page
- add --warn to usage statement
- make --quiet clear warn flags
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
