match groups.
Also split out RE_OWNER that matches the "owner" keyword.
To make the code easier to understand, I dropped the existing audit
variable and instead directly query the "new" audit variable while
filling path_rule['audit'].
Acked-by: Steve Beattie <steve@nxnw.org>
The following patch:
- creates a class for prompt questions moving away from Perl hash hack
for the purpose.
- moves some functions to the methods for that class
- fix options being incorrectly passed to questionPrompt in aa-mergeprof
Acked-by: Christian Boltz <apparmor@cboltz.de>
utils/test/runtests-py*.sh always exits with $? = 1 even if there is no
error. This is caused by the last executed command, test -n
This patch changes it to test -z so that we'll get $? = 0 if all tests
succeed.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(capability is one of the easiest rule types, so it's good as a start.)
The patch also adds basic support for rules containing more than one
capability, like
capability chown dac_override,
Note that this is just a pass-through mode (instead of complaining about
an invalid line). aa-logprof will happily add another "capability chown"
if it hits a log entry for it. (But: we never got a bugreport about not
supporting multi-capability lines, so I guess they are rarely used ;-)
I also added a parse_audit_allow() function to handle the audit and
allow/deny keywords. They are used in most rule types, which means we
can get rid of some duplicated code with this function.
Finally, update utils/test/test-regex_matches.py - RE_PROFILE_CAP now
has 5 instead of 4 match groups because of the added multi-capability
support.
While on it, I also improved the error message in setup_regex_tests()
to also show the rule that causes a problem.
Acked-by: Steve Beattie <steve@nxnw.org>
Two weeks ago, I fixed various tests in minitools_test.py which also
included disabling the test if aa-complain deletes the force-complain
symlink because nothing (especially aa-complain) creates those symlinks.
Seth didn't like the removal of that test too much. Therefore this patch
"manually" creates the force-complain symlink and tests that it's removed
by aa-enforce.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
out common parts (like audit and deny flags or the typical end of the
line (comma and comment).
The patch also introduces the named match groups <audit>, <allow> and
<comment> which we can start to use whenever we want. The group
numbering is kept unchanged, so we can migrate one regex / rule type
after the other to named groups (not only audit, allow and comments, but
changing all regexes will be another patch ;-)
As a side effect, fix RE_PROFILE_CHANGE_PROFILE, RE_PROFILE_ALIAS and
RE_PROFILE_RLIMIT which did not allow ", #" (comma, space, comment) at
the end of the line.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
both real [0] and hypothetical (e.g. gui prototypes), as part of
the python utils merge, some namespace packaging bits were added
to apparmor/__init__.py, based on the (not very clear) advice given
in python's pep 0420 [1]. However, a side effect of this is that it
causes system installed versions of python modules to be used over
paths specified via PYTHONPATH [2], which breaks our in-tree tests
when the system versions of the python modules are out of date with
respect to the in-tree version.
It seems based on testing, however, that carrying this code snippet
is no longer necessary to have external modules be found. Thus,
the following patch drops it.
[0] e.g. https://launchpad.net/click-apparmor
[1] http://www.python.org/dev/peps/pep-0420/
[2] a python upstream discussion about this occurred at
https://mail.python.org/pipermail/distutils-sig/2014-March/024049.html
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds a 'check_pod_files' make target to the common make
rules, and then fixes the errors it highlighted as well as most of
the warnings. It will cause 'make check' in most of the directories to
fail if there are errors in a pod file (but not if there are warnings).
Common issues were:
- using an '=over/=back' pair for code-like snippets that did not
contain any =items therein; the =over keyword is intended for
indenting lists of =item entries, and generates a warning if
there isn't any.
- not escaping '<' or '>'
- blank lines that contained spaces or tabs
The second -warnings flag passed to podchecker is to add additional
warnings, un-escaped '<' and '>' being of them.
I did not fix all of the warnings in apparmor.d.pod, as I have not come
up with a good warning-free way to express the BNF of the language
similar in format to what is currently generated. The existing
libapparmor warnings (complaints about duplicate =item definition
names) are actually a result of passing the second -warnings flag.
The integration into libapparmor is suboptimal due to automake's
expectation that there will be a test driver program(s) for make check
targets; that's why I added the podchecker call to the manpage
generation point.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
---
changehat/mod_apparmor/Makefile | 3
changehat/mod_apparmor/mod_apparmor.pod | 28 ++-
common/Make.rules | 4
libraries/libapparmor/doc/Makefile.am | 7
parser/Makefile | 2
parser/apparmor.d.pod | 275
+++++++++++++-------------------
utils/Makefile | 3
utils/aa-cleanprof.pod | 2
utils/aa-complain.pod | 2
utils/aa-decode.pod | 2
utils/aa-easyprof.pod | 69 +++-----
utils/aa-enforce.pod | 2
utils/aa-genprof.pod | 2
utils/aa-logprof.pod | 6
utils/aa-sandbox.pod | 64 ++-----
utils/logprof.conf.pod | 2
utils/vim/Makefile | 2
17 files changed, 212 insertions(+), 263 deletions(-)
This patch:
- replaces unnamed arguments with named arguments wherever more than 1
one arguments ware present in a message
- minor fix in aa-unconfined for pname argument in 2 strings
- updated pot files (as a side-effect of testing with make)
Acked-by: Christian Boltz <apparmor@cboltz.de>
A side effect of not including utils/apparmor/*.py in the .pot file was
that some translations were lost. This patch includes backported (or
forward-ported?) translations from r2186. It's not a simple merge, I
reviewed everything I merged and changed it if necessary.
I also removed the outdated
"Language-Team: Novell Language <language@novell.com>\n"
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In the conversion from perl to python, it got overlooked to add the
python-apparmor modules to the set of things to search for translatable
strings in. This patch addresses the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the signal parse tests to use common AAParseTest super class in
common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the ptrace parse tests to use common AAParseTest super class
in common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the pivotroot parse tests to use common AAParseTest super
class in common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the mount parse tests to use common AAParseTest super class in
common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Convert the DBUS parse tests to use common AAParseTest super class in
common_test.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch abstracts out parse tests into a super class to inherit from
and converts the af_unix parse tests to use the super class.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The patch that adds support for af_unix rules added a _Raw_Rule base
class to inherit from in rules.py. This patch converts the rest of the
raw rules classes to use the same.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch moves the assignment of the regex function into the unittest
setUp() function rather than at script load time. If for some reason
the python utils library does not define the relevant function, without
this patch the script fails entirely; with it, each individual test
class that depends on the missing regex will fail each test case.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds limited support for af_unix rules in the python
utilities, of the "don't touch them, but don't throw a python backtrace
when coming across them, either" variety. Testcases are added as well.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
add a add_to_options() helper function to aa.py which
- adds newpath to options if it's not already there
- returns the updated options and the index of newpath
This removes duplicated code for CMD_GLOB and CMD_GLOBEXT in
ask_the_question()
It also adds duplicate prevention to CMD_NEW.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
When reaching EOF while still in a profile (syntax-wise), there are two
possible reasons:
- missing "}"
- missing "," in the last rule (which means that, thanks to multiline
rule handling, the "}" is considered to be part of the last rule)
This patch improves the error message in aa.py to cover a missing ","
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
but should look for '//null-' instead.
Also remove some code duplication by merging with the next condition,
which executes the same self.add_to_tree code.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 126, in check_for_LD_XXX
for line in f_in:
[...]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xf8 in position 40: ordinal not in range(128)
While on it, also replace usage of the "found" variable by "return"
statements, which should bring a small performance improvement - if we
have a match, it's superfluous to continue searching.
The patch also adds me to the copyright header ;-)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
