The following patch:
- Brings the return to the correct indentation
- Adds a sorted call over the set keys of hat in the profile
Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk and 2.9.
After switching to winbindd as test profile, comments about the ntpd
profile don't make sense anymore ;-)
The patch also includes some whitespace fixes.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This time we only have 98% coverage (some missing and partial) because
I didn't find corner cases that raise some exceptions ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
The class comes with the usual set of features, so I'll only mention a
special feature: the is_covered() and is_equal() functions can even
compare limits with different units (for example they recognize that
2minutes == 120seconds).
Also change RE_PROFILE_RLIMIT:
- make it a bit more strict (the old one accepted any chars, including
spaces, for rlimit and value)
- convert it to named matches
- '<=' isn't optional - remove the '?' (but keep the parenthesis to
avoid breaking parsing in aa.py)
- allow rules with no spaces around '<='
Acked-by: Steve Beattie <steve@nxnw.org>
aa-cleanprof (actually clean_profile() in tools.py) used reload_base()
from aa.py which sends the parser output to /dev/null. This had two
effects:
- aa-cleanprof ignored the --no-reload parameter
- there was no error message because reload_base() /dev/null's the
parser output
This patch changes clean_profile() to use reload_profile() from tools.py
(which honors the --no-reload option).
Also add a TODO note to aa.py reload_base(), the (AFAIK only) winner of
the 'useless use of cat' award in the AppArmor code.
We should really change it to use reload_profile(), even if that means
moving the function from tools.py to aa.py or common.py. And it should
not /dev/null the apparmor_parser output. ;-)
References: https://bugs.launchpad.net/apparmor/+bug/1443637
Acked-by: Steve Beattie <steve@nxnw.org>
aa-complain is part of the enforce/complain/disable triple. Therefore
I expect it to actually load a profile in complain mode.
To do this, it has to delete the 'disable' symlink, but set_complain()
in aa.py didn't do this (and therefore kept the profile disabled).
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Users might expect that setting a profile into audit mode also activates
it (which shouldn't happen IMHO because the audit flag is not part of
the enforce/complain/disable triple), so we should at least tell them.
References: https://bugs.launchpad.net/apparmor/+bug/1429448
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
aa-complain, aa-enforce, aa-disable and aa-audit refused to change
profiles for non-existing binaries. This patch also allows paths
starting with /. This also makes it possible to use
aa-complain '/{usr/,}bin/ping'
and
aa-complain /etc/apparmor.d/bin.ping
This patch fixes https://bugs.launchpad.net/apparmor/+bug/1416346
Well, mostly - we still need to decide how we handle wildcards in
profile names:
aa-complain ping
aa-complain /usr/bin/ping
will still error out with "Profile not found" because it isn't an exact
match (and matching the wildcard would change more than the user wants).
Oh, and this patch also fixes the last failure in minitools_test.py.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
Change minitools_test.py to use the winbind instead of the ntpd profile
for testing. The tests broke because the ntpd profile has the
attach_disconnected flag set now, and therefore didn't match the
expected flags anymore.
Also replace the usage of filecmp.cmp() in the cleanprof test with
reading the file and using assertEqual - this has the advantage that we
get a full diff instead of just "files differ".
Note: The aa-cleanprof test is still failing because of a bug in
tools.py, but will be fixed by the next patch.
See https://bugs.launchpad.net/apparmor/+bug/1416346 for details.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This allows to run minitools_test.py as non-root user.
Also add a check that only creates the force-complain directory if it
doesn't exist yet.
Note: With this patch applied, there are still 4 failing tests, probably
caused by changes in the profiles that are used in the tests.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Add a --no-reload parameter to aa-audit, aa-cleanprof, aa-complain,
aa-disable and aa-enforce. This makes it possible to change the
profile flags without reloading the profile.
Also change tools.py to honor the --no-reload parameter.
References: https://bugs.launchpad.net/apparmor/+bug/1458480
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
--fixes lp:1458480
The function will return the 'Exec Condition' and the 'Target Profile'
as nice list to use in aa-logprof (once we have support for
change_profile in logparser.py) and aa-mergeprof.
Also add some tests to ensure the correct result.
Acked-by: Steve Beattie <steve@nxnw.org>
This allows to drop the "apparmor.aa." prefix in ask_the_question() to
get the code more in sync with aa.py ask_the_question().
Acked-by: Steve Beattie <steve@nxnw.org>
Replace the code in aa.py ask_the_questions() that handles network rules
with the ask_the_questions() code initially copied from aa-mergeprof.
This means to convert the network/netdomain log events to a
NetworkRuleset stored in the log_obj hasher, and then let the code from
aa-mergeprof operate on this hasher.
The user interface is mostly unchanged, with two exceptions:
- options always displayed, even if there is only one option
- some slightly changed texts
If you didn't understand why there's a need for the previous patch, this
one should explain it :-)
This also ends up fixing at least one bug where the 'audit' keyword
wasn't listed as a separate qualifier, but instead showed up smooshed
into the Network Family header.
Acked-by: Steve Beattie <steve@nxnw.org>
Replace the code in aa.py ask_the_questions() that handles capabilities
with the ask_the_questions() code from aa-mergeprof.
This means to convert the capability log events to a CapabilityRuleset
stored in the (new) log_obj hasher, and then let the code from
aa-mergeprof operate on this hasher.
Most of the code after the "aa-mergeprof also has this code" comment is
a direct copy of the aa-mergeprof code, with the following changes:
- filter for profile mode (enforce/complain)
- set default button (allow or deny) based on profile mode
- keep seen_events counter happy (even if it isn't displayed anywhere)
- replace apparmor.aa.foo with just foo
The user interface is mostly unchanged, with two exceptions:
- options always displayed, even if there is only one option
- some slightly changed texts
Acked-by: Steve Beattie <steve@nxnw.org>
When switching the audit flag for network events in aa-logprof
(technically, it happens in aa.py ask_the_question()), the "(I)gnore"
button gets "lost".
This patch fixes the list of available buttons.
I propose this patch for trunk and 2.9.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
Move the code to set q.headers, q.functions and q.default for network
and capability rules inside the "while not done" loop. This ensures to
always have valid headers (for example, after changing the audit
qualifier, the severity was "lost" before) and avoids some duplicated
code.
Also drop a useless "if True:" condition and change the whitespace of
the following lines.
Acked-by: Steve Beattie <steve@nxnw.org>
Now that the handling for capability and network rules is the same,
wrap the former network rule-only code with
for ruletype in ['capability', 'network']:
and delete the superfluous ;-) capabiltiy code block.
Needless to say that future updates for other rule types will be
quite easy ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
BaseRule:
- add logprof_header() - sets the 'Qualifier' (audit, allow/deny) header
if a qualifier is specified, calls logprof_header_localvars() and then
returns an array of headers to display in aa-logprof and aa-mergeprof
- add logprof_header_localvars() - dummy function that needs to be
implemented in the child classes
NetworkRule: add logprof_header_localvars() - adds 'Network Family'
and 'Socket Type' to the headers
CapabilityRule: add logprof_header_localvars() - adds 'Capability' to
the headers
Also change aa-mergeprof to use rule_obj.logprof_header() for network
and capability rules. This means deleting lots of lines (that moved to
the *Rule classes) and also deleting the last differences between
capabiltiy and network rules.
Finally add tests for the newly added functions.
Acked-by: Steve Beattie <steve@nxnw.org>
This means:
a) for capability rules:
- move audit and deny to a new "Qualifier" header (only displayed if
non-empty)
- always display options, even if only one is available
- use available_buttons(), which means to add the CMD_AUDIT_* button
- add handling for CMD_AUDIT_* button
- CMD_ALLOW: only add rule_obj if the user didn't select a #include
- move around some code to get it in sync with network rule handling
b) for network rules
- move audit and deny to a new "Qualifier" header (only displayed if
non-empty)
- call rule_obj.severity() (not implemented for network rules, does
nothing)
- change messages to generic 'Adding %s to profile.'
- move around some code to get it in sync with capability rule
handling
The only remaining difference is in q.headers[] and the variables
feeding it:
- capability rules show "Capability: foo"
- network rules show "Network Family: foo" and "Socket type: bar"
Acked-by: Steve Beattie <steve@nxnw.org>
Note: the != sev_db.NOT_IMPLEMENTED: check in aa-mergeprof is
superfluous for capabilities, but will become useful once this code
block is used for other rule types.
Acked-by: Steve Beattie <steve@nxnw.org>
Also implement handling for the special capability value '__ALL__' in
severity.py, which is used for 'capability,' rules (aa-mergeprof might
need to display the severity for such a rule).
Finally, add some tests for severity() in test-capability.py and a test
for '__ALL__' in test-severity.py.
Acked-by: Steve Beattie <steve@nxnw.org>
severity() will, surprise!, return the severity of a rule, or
sev_db.NOT_IMPLEMENTED if a *Rule class doesn't implement the severity()
function.
Also add the NOT_IMPLEMENTED constant to severity.py, and a test to
test-baserule.py that checks the return value in BaseRule.
Acked-by: Steve Beattie <steve@nxnw.org>
allow specifying the change_profile keyword
change_profile,
to grant all permissions change_profile permissions
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
link rules with a variable in the link target, eg.
link /foo -> @{var},
do not currently have the variable expanded
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
currently
link @{foo} -> /bar,
link /bar -> @{foo}
link @{foo} -> @{bar},
all fail due to illegal TOK_SET_VAR
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parser currently is still using the old permission layout, the kernel
uses a newer layout that allows for more permission bits. The newer
newer permission layout is needed by the library to query the kernel,
however that causes some of the permission bits to be redefined.
Rename the permission bits that cause redefination warnings to use
AA_OLD_MAY_XXX
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Currently the cache file has its mtime set at creation time, but this
can lead to cache issues when a policy file is updated separately from
the cache. This makes it possible for an update to ship a policy file
that is newer than the what the cache file was generated from, but
result in a cache hit because the cache file was local compiled after
the policy file was package into an update (this requires the update
to set the mtime of the file when locally installed to the mtime of
the file in its update archive but this is commonly done, especially
in image based updates).
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When caching was converted to use mtime instead of ctime, the cache
file timestamp did not get switched over. This means we are comparing
the cache file's ctime against the policy file's mtime. Which can make
the cache look newer than it really is.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- missing formatting code prefixes, usually I for BNFish arguments
- added blank lines before preformatted sections as the html formatter
wasn't treating them as seperate from the preceding text (also, they
generated podchecker warnings)
- fixed a grammar issue
- fixed link description text block that was mistakenly indented and
thus treated as preformatted text
- moved the "Qualifier Blocks" subsection out of the =over/=back as
all the pod tools did not like this and it caused podchecker to exit
with an error, breaking builds that ran make check on the parser
tree.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Rename require_features to require_kernel_features and
have_features to kernel_features
to indicate they are tests for kernel features, as now there are tests
for parser features and in the future there might be library features
as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
has not been updated. The issue is that the regression tests detect the
kernel features set and generate policy that the parser may not be able
to compile.
Augment the regressions tests with a couple simple functions to test what
is supported by the parser, and update the test conditionals to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This option was previously only documented in the --help output.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
I decided to use a "small" solution for now, which basically means
s/unittest.TestCase/AATest/, cleanup of some setUp() and renaming the
remaining setUp() functions to AASetup().
This doesn't mean an instant win (like in test-severity.py), but allows
to add tests with a tests[] array.
Acked-by: Steve Beattie <steve@nxnw.org>
To be able to distinguish between severity 10 and unknown severity,
change AASetup to specify 'unknown' as default rank, and change the
expected result to 'unknown' where it's expected.
Also change the "expected rank %d" to "%s" because it can be a string
now, and add a test that contains directories with different severity
in one variable.
After these changes, handle_variable_rank() errors out with
TypeError: unorderable types: str() > int()
so fix it by
- initializing rank with the default rank (instead of none)
- explicitely check that rank and rank_new are != the default rank before
doing a comparison
A side effect is another bugfix - '@{HOME}/sys/@{PROC}/overcommit_memory'
is severity 4, not 10 or unknown (confirmed by reading severity.db).
Acked-by: Steve Beattie <steve@nxnw.org>
This simplifies test-severity.py a lot:
- lots of test functions are replaced with tests[] arrays
- tempdir handling and cleanup is now done automagically
Even if test-severity.py shrunk by 65 lines, all tests are still there.
There's even an addition - SeverityTestCap now additionally verifies the
result of rank_capability().
Acked-by: Steve Beattie <steve@nxnw.org>
Change rank_capability() so that it doesn't expect the CAP_ prefix.
This makes usage easier because callers can simply hand over the
capability name.
Also change rank() to call rank_capability() without the CAP_ prefix.
Acked-by: Steve Beattie <steve@nxnw.org>
