Hello, the review for r68 is attached - it contains some small issues and a set of fresh bugs I found while doing some tests.
r69 passed my review without complaints ;-) @John (and whoever else wants to answer) I also have an interesting question about behaviour of aa-audit /bin/ping The profile starts with /{usr/,}bin/ping { so it's, strictly speaking, two profiles in one. The interesting question is what the correct behaviour is because besides setting the profile for /bin/ping to audit mode (expected) it would also set the profile for /usr/bin/ping to audit mode (not expected) OTOH, the current behaviour of aa-audit (error message saying that /bin/ping does not exist) also is not expected and will terribly confuse users. What should "aa-audit /bin/ping" do in this case? (aa-audit is just an example - the same question applies to all aa-* tools that change profile flags.) Regards, Christian Boltz -- > which camera is this? Marcus, this is my bug :) [Marcus Meissner and Stephan Kulow in https://bugzilla.novell.com/show_bug.cgi?id=217731]
------------------------------------------------------------ revno: 68 committer: Kshitij Gupta <kgupta8...@gmail.com branch nick: apparmor-profile-tools timestamp: Sat 2013-09-21 12:36:51 +0530 message: Fixed flag reader and writer to be able to set unset flag for a specific target program also fixed tests for mini tools to be independent of existence of ntpd === modified file 'Tools/aa-complain' --- Tools/aa-complain 2013-09-19 05:02:19 +0000 +++ Tools/aa-complain 2013-09-21 07:06:51 +0000 @@ -11,5 +11,5 @@ complain = apparmor.tools.aa_tools('complain', args) - +print(args) # debugging code? === modified file 'apparmor/aa.py' --- apparmor/aa.py 2013-09-20 19:38:34 +0000 +++ apparmor/aa.py 2013-09-21 07:06:51 +0000 -def get_profile_flags(filename): +def get_profile_flags(filename, program): # To-Do # XXX If more than one profile in a file then second one is being ignored XXX # Do we return flags for both or # with the change below, the To-Do seems solved # you'll also need to fix # Tools/aa-genprof: apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename) # to use two parameters @@ -564,13 +564,17 @@ with open_file_read(filename) as f_in: for line in f_in: if RE_PROFILE_START.search(line): - flags = RE_PROFILE_START.search(line).groups()[6] - return flags + matches = RE_PROFILE_START.search(line).groups() + profile = matches[1] or matches[3] + flags = matches[6] + if profile == program: + return flags raise AppArmorException(_('%s contains no profile')%filename) # with the above change, the error message should probably be # '%(filename)s contains no profile for %(program)s' -def change_profile_flags(filename, flag, set_flag): - old_flags = get_profile_flags(filename) +def change_profile_flags(filename, program, flag, set_flag): + old_flags = get_profile_flags(filename, program) + print(old_flags) # debugging code? # Testing results: # logprof doesn't expand aliases correctly: # (sorry for the german parts, but I'm quite sure you'll understand what is happening ;-) Profil: /{usr/,}bin/ping Pfad: /home/sys-var/run/nscd/dbVSXZwf Modus: r Schweregrad: 4 [1 - /home/sys-var/run/nscd/dbVSXZwf] 2 - /home/*/run/nscd/dbVSXZwf (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore Neuen Pfad eingeben: /var/run/nscd/db* The specified path does not match this log entry: Log Entry: /home/sys-var/run/nscd/dbVSXZwf Entered Path: /var/run/nscd/db* Do you really want to use this path? (J)a / [(N)ein] Profil: /{usr/,}bin/ping Pfad: /home/sys-var/run/nscd/dbVSXZwf Modus: r Schweregrad: 4 1 - /home/sys-var/run/nscd/dbVSXZwf 2 - /home/*/run/nscd/dbVSXZwf [3 - /var/run/nscd/db*] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore Adding /var/run/nscd/db* r to profile Profil: /{usr/,}bin/ping Pfad: /home/sys-var/run/nscd/dbwvkZpy Modus: r Schweregrad: 4 # # cat /etc/apparmor.d/tunables/alias # alias /var/ -> /home/sys-var/, # alias /tmp/ -> /home/sys-tmp/, # # -> logprof should not ask /home/sys-var/run/nscd/dbwvkZpy because it's covered by /var/run/nscd/db* (with the alias applied) # # in fact, it should not ask ask for /home/sys-var/run/nscd/db* at all because the /bin/ping profile includes abstractions/nameservice # which already contains /{,var/}run/nscd/db* rmix, # let's write one of the changed profiles... = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /home/cb/bin/lj_make_galerie.sh] 2 - /usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread 3 - /{usr/,}bin/ping (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t # pressed 't' Aktualisiertes Profil fÃŒr /home/cb/bin/lj_make_galerie.sh wird geschrieben. Traceback (most recent call last): File "aa-logprof", line 29, in <module> apparmor.do_logprof_pass(logmark) File "/usr/lib/python2.7/site-packages/apparmor/aa.py", line 2212, in do_logprof_pass save_profiles() File "/usr/lib/python2.7/site-packages/apparmor/aa.py", line 2283, in save_profiles changed.pop(profile_name) KeyError: '/home/cb/bin/lj_make_galerie.sh' # and another evil testcase: # python3 Tools/aa-audit -d Testing/profiles /bin/ping /bin/ping does not exist, please double-check the path. # The error message is wrong - it should say "A profile for /bin/ping does not exist, ..." # (the file /bin/ping exists on my system) # and of course I shouldn't even see the error message because... # cat Testing/profiles/bin.ping [...] #include <tunables/global> /{usr/,}bin/ping { [...] # looks like you don't handle {x,y} in the profile name yet # # confirmed by: # python3 Tools/aa-audit -d Testing/profiles '/{usr/,}bin/ping' Setting /{usr/,}bin/ping to audit mode. None # This is an interesting question about what is the correct behaviour because # besides setting the profile for /bin/ping to audit mode (expected) # it would also set the profile for /usr/bin/ping to audit mode (not expected) # OTOH, the error message also is not expected and will confuse users. # (you should also add some testcases in Testing/minitools_test.py for /bin/ping # and /usr/bin/ping after we decided about the wanted behaviour) vim:ft=diff
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor