write_pair() ignored the 'tail' parameter, which resulted in writing
invalid alias rules (without the trailing comma).
Also add an alias to test/cleanprof.* to ensure it doesn't break again.
Change aa.py to use FileRule and FileRuleset for parsing and saving
profiles.
In detail, this means:
- add 'file' to the list of rule classes to enable it at various places
- store file rules in aa[profile][hat]['file'] (not 'path' as before)
to be consistent with the FileRule name
- drop the no longer needed delete_path_duplicates() - this is now
handled by FileRuleset like in all other rule classes.
(same change in cleanprofile.py)
- replace usage of RE_PROFILE_BARE_FILE_ENTRY and RE_PROFILE_PATH_ENTRY
with FileRule.match()
- drop write_path_rules() and write_paths() and replace them with the
new write_file() function.
- adjust several code sections to use write_file() and 'file' instead of
'path'
FileRule doesn't drop optional keywords ('allow' and 'file'), therefore
adjust cleanprof_test.out to the changed behaviour. (If someone insists
on dropping optional keywords in aa-cleanprof, that's something for a
future patch.)
Also adjust the list of known failures in test-parser-simple-tests.py -
switching to FileRule avoids several test failures (and introduces a few
new ones ;-)
IMPORTANT:
This patch introduces a "brain split" which means
- parsing and writing the profile and aa-cleanprof use the new location
(aa[profile][hat]['file'])
- aa-logprof and aa-genprof still save data to the old location
(aa[profile][hat]['allow']['path']) and probably ask superfluous
questions because there are no rules existing in the old location
TL;DR: don't try aa-logprof or aa-genprof with only this patch applied.
I know this isn't ideal, but still better than an even bigger and
totally unreadable patch ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
By calling self.delete() inside the delete_duplicates() loop, the
self.rules list was modified. This resulted in some rules not being
checked and therefore (some, not all) superfluous rules not being
removed.
This patch switches to a temporary variable to loop over, and rebuilds
self.rules with the rules that are not superfluous.
This also fixes some strange issues already marked with a "Huh?" comment
in the tests.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
therefore the cleanprof_test.out change doesn't make sense for 2.10.
"Everywhere" means aa-mergeprof and aa-cleanprof. In theory also
aa-logprof, but that needs some code that parses dbus log events ;-)
Also add some dbus rules to the aa-cleanprof test profiles to ensure
superfluous dbus rules get deleted.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
To ensure aa-cleanprof works as expected (and writing the rules works
as expected), add some rules for every rule class to the cleanprof.in
and cleanprof.out test profiles.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
r2637 added support for parsing unix rules, but forgot to add write
support. The result was that a profile lost its unix rules when it was
saved.
This patch adds the write_unix_rules() and write_unix() functions (based
on the write_pivot_root() and write_pivot_root_rules() functions) and
makes sure they get called at the right place.
The cleanprof testcase gets an unix rule added to ensure it's not
deleted when writing the profile. (Note that minitools_test.py is not
part of the default "make check", however I always run it.)
References: https://bugs.launchpad.net/apparmor/+bug/1522938https://bugzilla.opensuse.org/show_bug.cgi?id=954104
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
Change hat declarations ("^hat,") are no longer supported (see previous
patch for details). Therefore remove support for writing them.
This also means to completely remove the 'declared' flag, which was only
needed for hat declarations, and was (after the previous patch) always
set to False.
Also add a hat to the cleanprof_test.{in,out} test profile to make sure
aa-cleanprof doesn't break hats, and a hat declaration with the same
name to make sure it gets removed and doesn't break the "real" hat.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
logprof/genprof and related utilities in python. Because the branch that
was worked on was not based on the apparmor tree, not all of the history
can be maintained for files that are not newly created or entirely
rewritten in the branch.
(This merge also includes a subsequent commit to the branch
I was merging from which includes my missed bzr add of
utils/apparmor/translations.py)
