The check-logprof test in the profiles Makefile specifies
the configuration directory as --configdir ../utils/test,
but when aa-logprof looks for severity.db in the configdir,
it cannot find it.
This fix points the configdir to utils. Note that the
logprof.conf on utils uses the configuration for files
created during the libapparmor installation on the system.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/177
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
All the calling code (directly or indirectly) uses write_flags=True,
therefore drop the parameter to simplify the code.
See the individual commits for details. Also, reviewing the individual commits is probably easier than reviewing the full diff (especially the test changes).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/759
Acked-by: John Johansen <john@jjmx.net>
Drop unused write_flags parameter from AaTest_get_header and
AaTest_get_header_01. This is a cleanup for the previous commit.
While on it, add xattrs parameter to AaTest_get_header, and add two
tests with non-empty xattrs.
All the calling code (directly or indirectly) uses write_flags=True,
therefore drop the parameter to simplify the code.
A few tests called get_header() with write_flags=False. Adjust or drop
those tests.
Note: to keep the diff readable, the test changes are as small as
possible. The next commit will cleanup the now-superfluous write_flags
values in the tests.
... instead of "manually" creating a ProfileStorage object
Also preserve profile keyword and comment in ProfileStorage.parse()
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/758
Acked-by: John Johansen <john@jjmx.net>
.. instead of preserving the original leading whitespace.
This change affects the behaviour of aa-complain, aa-enforce and aa-audit.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/757
Acked-by: John Johansen <john@jjmx.net>
... and into parse_profile_start_line() (which is used by
ProfileStorage.parse()).
With this change, the section handling RE_PROFILE_HAT_DEF in
parse_profile_data() becomes superfluous.
A nice side effect is that two simple_tests parse failures get
accidently ;-) fixed.
Also preserve 'hat' keyword in ProfileStorage instead of always writing hats as '^hat'.
When writing a profile, prepending '^' or 'hat' to a hat name moves from
aa.py write_piece() to ProfileStorage.get_header().
Finally, extend cleanprof_test.* with 'hat bar {...}'.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/756
Acked-by: John Johansen <john@jjmx.net>
... instead of always writing hats as '^hat'.
When writing a profile, prepending '^' or 'hat' to a hat name moves from
aa.py write_piece() to ProfileStorage.get_header().
Also extend cleanprof_test.* with 'hat bar {...}'.
... and into parse_profile_start_line() (which is used by
ProfileStorage.parse()).
With this change, the section handling RE_PROFILE_HAT_DEF in
parse_profile_data() becomes superfluous.
A nice side effect is that two simple_tests parse failures get
accidently ;-) fixed.
The 'profile' flag means "this profile is a profile or a child profile, but not a hat". Since that's true for most cases, rename the flag to 'is_hat'.
Note that `'profile' == True` translates to `'is_hat' == False`
Also adjust all code to switch from 'profile' to 'is_hat'.
Further down the commit list,
* move parse_profile_start{,_to_storage}() into ProfileStorage
* merge parse_profile_start() into parse()
* add some missing tests
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/754
Acked-by: John Johansen <john@jjmx.net>
... and add some tests for other error conditions that don't imply
nested childs, so that the intended failure gets tested.
(This is probably a leftover of the `hat == profile` -> `hat = None`
(while not in a hat/child profile) change.)
... and make them class functions of ProfileStorage.
parse_profile_start_to_storage() gets renamed to parse().
Also move the tests for parse_profile_start() and
parse_profile_start_to_storage() to test-profile-storage.py.
The 'profile' flag means "this profile is a profile or a child profile,
but not a hat". Since that's true for most cases, rename the flag to
'is_hat'.
Note that `'profile' == True` translates to `'is_hat' == False`
Also adjust all code to switch from 'profile' to 'is_hat'.
This value is True if we are in a child profile (not: hat), but that's information we get "for free", so there's no need to hand it around. Besides that, it was wrongly set to False for main profiles (which are not hats).
Remove the pps_set_profile return value from parse_profile_start(), and always assume True unless we were parsing a hat. For completeness, explicitely set it to False when parsing a hat.
To make sure child profiles and hats don't get mixed up, add a child profile to cleanprof_test.{in,out}.
test-libapparmor-test_multi.py always interpreted foo//bar as being a hat, therefore explicitely mark them as such. (Technically not really needed since this is the default, but it helps to make things clear.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/751
Acked-by: John Johansen <john@jjmx.net>
This value is True if we are in a child profile (not: hat), but that's
information we get "for free", so there's no need to hand it around.
Besides that, it was wrongly set to False for main profiles (which are
not hats).
Remove the pps_set_profile return value from parse_profile_start(), and
always assume True unless we were parsing a hat. For completeness,
explicitely set it to False when parsing a hat.
To make sure child profiles and hats don't get mixed up, add a child
profile to cleanprof_test.{in,out}.
test-libapparmor-test_multi.py always interpreted foo//bar as being
a hat, therefore explicitely mark them as such. (Technically not really
needed since this is the default, but it helps to make things clear.)
The name var is being improperly used in a warning. Not only is
it being used after it is freed, it also never had the correct value
as the "name" variable contained the value being used as the base
attachment.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: time out
Profile includes can be setup to loop and expand in a pathalogical manner that causes build failures. Fix this by caching which includes have already been seen in a given profile context.
In addition this can speed up some profile compiles, that end up re-including common abstractions. By not only deduping the files being included but skipping the need to reprocess and dedup the rules within the include.
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1184779
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/743
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Profile includes can be setup to loop and expand in a pathalogical
manner that causes build failures. Fix this by caching which includes
have already been seen in a given profile context.
In addition this can speed up some profile compiles, that end up
re-including common abstractions. By not only deduping the files
being included but skipping the need to reprocess and dedup the
rules within the include.
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1184779
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/743
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Change the tools to use merged profile names (`var['foo//bar']`) instead of the profile/hat layout (`var[profile][hat]`) in many places. Also storage gets moved to ProfileList instead of using a hasher.
Already changed places (in this MR) are parsing profiles, writing profiles, handling and storing of extra profiles, log handling and asking the user about profile additions.
Remaining usage of the `var[profile][hat]` layout are the `aa` and `original_aa` hashers, they'll be replaced in a separate MR.
See the individual commits for details. I'd also recommend to do the review on the individual commits, because the big diff is probably unreadable ;-)
While this is a big chain of changes, each commit contains working code, converting between the two storage layouts with `split_to_merged()` and `merged_to_split()` as needed, with merged layout "bubbling up" in more and more functions.
The long-term goal of these changes is to enable support for nested child profiles in the tools, but - one step after the other ;-)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/736
Acked-by: John Johansen <john.johansen@canonical.com>
The function decides on the filename of a profile, therefore use 'filename' as variable name instead of the somewhat confusing 'profile' and 'full_profilename'.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/749
Acked-by: John Johansen <john.johansen@canonical.com>
I propose this addition for master and 3.0 (to keep the file in sync, and because most additions \[except `utils/test/coverage-report.txt`\] already make sense in 3.0)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/748
Acked-by: John Johansen <john.johansen@canonical.com>
The function decides on the filename of a profile, therefore use
'filename' as variable name instead of the somewhat confusing 'profile'
and 'full_profilename'.
If an include file includes itsself (for example if local/foo has '#include <local/foo>'), print a warning instead of calling load_include() again and again.
This fixes a crash when hitting such a case: RecursionError: maximum recursion depth exceeded while calling a Python object
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1184779 for the tools. The parser will also need a fix.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/742
Acked-by: John Johansen <john.johansen@canonical.com>
When building the parser with DEBUG=1 enabled the build fails with
the following error and warnings
In file included from parser_main.c:47:0:
parser_main.c: In function ‘void auto_tune_parameters()’:
parser_main.c:1421:35: error: ‘estimate_jobs’ was not declared in this scope
PDEBUG("Auto tune: --jobs=%d", estimate_jobs);
^
parser.h:201:37: note: in definition of macro ‘PDEBUG’
fprintf(stderr, "parser: " fmt, ## args); \
^~~~
parser_main.c:1421:35: note: suggested alternative: ‘estimated_jobs’
PDEBUG("Auto tune: --jobs=%d", estimate_jobs);
^
parser.h:201:37: note: in definition of macro ‘PDEBUG’
fprintf(stderr, "parser: " fmt, ## args); \
^~~~
parser.h:201:41: warning: format ‘%d’ expects argument of type ‘int’, but argument 3 has type ‘long int’ [-Wformat=]
fprintf(stderr, "parser: " fmt, ## args); \
^
parser_main.c:1428:5: note: in expansion of macro ‘PDEBUG’
PDEBUG("Auto tune: --jobs=%d", jobs);
^~~~~~
Makefile:234: recipe for target 'parser_main.o' failed
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/745
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
If an include file includes itsself (for example if local/foo has
'#include <local/foo>'), print a warning instead of calling
load_include() again and again.
This fixes a crash when hitting such a case:
RecursionError: maximum recursion depth exceeded while calling a Python object
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1184779 for the tools.
The parser will also need a fix.
if a profile doesn't have an attachment specified and the profile name
starts with '/', set the attachment to the profile name. This allows to
have one add_profile() call instead of two very similar ones.
exit early if profile_data is empty (which means we did read an empty
file). This allows to simplify the if conditions to "if active_profile:"
and "else:".
