- add some debug logging in valid_path()
- fix a py2 incompability in DebugLogger.__init__ (OSError vs. IOError)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
- use the (new) "parts" variable for the line.split result to make the
code less confusing
- change the line.startswith to check for "REPOSITORY:" (note the
added ":") like it was in the code before my previous patch.
- make the check for "NEVERSUBMIT" more exact
- print a warning on invalid REPOSITORY: lines and make sure to keep
them as unmodified line (it might just be a "normal" comment someone
added manually)
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> (on IRC)
This patch
- preserves the complete initial comment
- makes sure whitespace inside the comment is kept (except leading
whitespace - line.trim() is still applied).
- no longer removes the "# vim:syntax" line
Note: I didn't test if handling the "REPOSITORY" line still works (in
theory it should), but without a working repo, I don't care too much ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
apparmor packaging.
These were originally 0030-easyprof-sdk.patch and
0037-easyprof-sdk-pt2.patch. Jamie posted an updated
0030-easyprof-sdk_v2.patch and I squashed both patches into one commit.
Acked-By: Jamie Strandboge <jamie@canonical.com>
logprof/genprof and related utilities in python. Because the branch that
was worked on was not based on the apparmor tree, not all of the history
can be maintained for files that are not newly created or entirely
rewritten in the branch.
(This merge also includes a subsequent commit to the branch
I was merging from which includes my missed bzr add of
utils/apparmor/translations.py)
perl utilities to the deprecated to directory; a couple of perl
utilities remain, but they are still useful and do not depend on the
Immunix module (just the LibAppArmor perl module).
logprof.conf contains a list of binaries in the [qualifiers] section
that should for example never have their own profile.
Since some distributions moved lots of files from /bin/ to /usr/bin/
("UsrMove"), this list is outdated.
The patch adds copies of all /bin/ (and /sbin/) lines with /usr
prepended.
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
available since the 2.6.25 kernel, according to the getrlimit(2)
man page; see that man page for more details on this rlimit.
An acceptance test is also added, as well as an update to the
apparmor.vim input template.
While reviewing to see what made sense in apparmor.vim for the rttime
rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
a keyword for microseconds, but I did for milliseconds. I also don't
accept any unit larger than minutes, as it didn't seem appropriate
(and even minutes felt... gratuitous). I would appreciate feedback
on what keywords would be useful here.
Patch History:
v1: initial submission
v2: - add apparmor.vim support for rttime keyword
- adjust RLIMIT_TIME value assignment due to its units being
microseconds, not seconds, and add milliseconds keyword.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch eliminates the complaints from running:
pep8 --ignore=E501 aa-easyprof vim/
(E501 is 'line too long', which I'm not too chuffed about.)
Mostly, it's a lot of whitespace touchups, with a few conversions from
'==' to 'is'.
Commit includes applied feedback from cboltz.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Current builds include many warnings when building translations message
files like so:
msgfmt -c -o ja.mo ja.po
ja.po:5: warning: header field 'Language' missing in header
According to what I read in the entry for Language in
http://www.gnu.org/software/gettext/manual/gettext.html#Header-Entry
the language entry should be (in our case) the same as the file name
minus the .po suffix. This patch adds the language field for those
po files that were missing it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch updates the Report-Msgid-Bugs-To: to point to the apparmor
list instead of the old Novell forge address. It also makes the
Project-Id-Version: field consistent.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The rlimits syntax checking support in apparmor.vim was broken in
various unhelpful ways:
- lacked support for the 'infinity' keyword (aka RLIM_INFINITY)
- lacked support for the 'ofile' rlimit, an alias for the nofile
rlimit
- lacked support for the 'cpu' rlimit (aka RLIMIT_CPU)
- incorrect syntax for nofile|nproc|rtprio rlimits (didn't include
required '<=' between the limit name and value)
- incorrect syntax for specifying optional SI units for size based
rlimits (e.g. 'MB' is required, but syntax only allowed incorrect
'M'; that said, one could argue the parser is overly strict here,
and the pattern should be '[KMG]B?')
(See the setrelimit(2) man page for more details on the specifics of the
rlimit definitions.)
This patch fixes the above issues.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The log parsing in the Immunix::AppArmor perl module has fallen behind
when it comes to audit events from some of the newer rule types
supported by apparmor_parser.
When an unsupported event is found, it causes aa-logprof to error out.
This patch creates a list of valid, but unsupported, event operations
that should be ignored by the perl module when parsing logs.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
example with LANG=pt_BR) because a regex relies on netstat output.
Enforce LANG=C to make sure aa-unconfined always sees the expected output.
Acked-by: Steve Beattie <steve@nxnw.org>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
The profile parsing in the Immunix::AppArmor perl module has fallen
behind when it comes to some of the newer rule types and syntax
supported by apparmor_parser.
When an unsupported rule is found, it causes aa-logprof and aa-genprof
to error out. This patch creates a list of valid, but unsupported rule
types that should be ignored by the perl module when parsing policy.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
