Hello, and finally...
*drumroll* This patch implements attachment handling - aa-logprof now works with profiles that have an attachment defined, instead of ignoring audit.log entries for those profiles. Changes: - parse_profile_start_line(): remove workaround that merged the attachment into the profile name - parse_profile_data(): store attachment when parsing a profile - update test_parse_profile_start_03, test_serialize_parse_profile_start_03 and some parse_profile_start_line() tests - they now expect correct attachment handling Note: this patch is not fully covered by tests. I manually tested aa-logprof with some profiles with and without attachment, and it works for both. As usual, I propose this patch for trunk and 2.9 (I do that for all patches in this series, even if I forgot to mention it in some patches ;-) [ 22-handle-profiles-with-attachment.diff ] === modified file utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-03-15 21:35:16.783039264 +0100 +++ utils/apparmor/aa.py 2015-03-15 19:54:49.636222101 +0100 @@ -2683,6 +2683,8 @@ # Starting line of a profile if RE_PROFILE_START.search(line): (profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat) + if attachment: + profile_data[profile][hat]['attachment'] = attachment if pps_set_profile: profile_data[profile][hat]['profile'] = True if pps_set_hat_external: === modified file utils/apparmor/regex.py --- utils/apparmor/regex.py 2015-03-15 21:33:33.805124635 +0100 +++ utils/apparmor/regex.py 2015-03-15 21:20:04.319971984 +0100 @@ -100,10 +101,6 @@ result['profile'] = result['namedprofile'] result['profile_keyword'] = True - if result['attachment']: - # XXX keep the broken behaviour until proper handling for attachment is implemented - result['profile'] = "%s %s" % (result['profile'], result['attachment']) - return result === modified file utils/test/test-aa.py --- utils/test/test-aa.py 2015-03-15 21:35:16.785039145 +0100 +++ utils/test/test-aa.py 2015-03-15 21:13:26.107513804 +0100 @@ -277,7 +277,7 @@ def test_parse_profile_start_03(self): result = self._parse('profile foo /foo {', None, None) # named profile - expected = ('foo /foo', 'foo /foo', '/foo', None, False, False, False) # XXX yes, that's what happens with the current code :-/ + expected = ('foo', 'foo', '/foo', None, False, False, False) self.assertEqual(result, expected) def test_parse_profile_start_04(self): @@ -361,7 +361,7 @@ def test_serialize_parse_profile_start_03(self): result = self._parse('profile foo /foo {', None, None, False, False) # named profile - expected = ('foo /foo', 'foo /foo', '/foo', None, False, True) # XXX yes, that's what happens with the current code :-/ + expected = ('foo', 'foo', '/foo', None, False, True) self.assertEqual(result, expected) def test_serialize_parse_profile_start_04(self): === modified file utils/test/test-regex_matches.py --- utils/test/test-regex_matches.py 2015-03-15 21:33:33.807124517 +0100 +++ utils/test/test-regex_matches.py 2015-03-13 23:20:42.101128329 +0100 @@ -427,11 +427,10 @@ (' "/foo" {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), (' profile /foo {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), (' profile "/foo" {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), - (' profile foo /foo {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX - (' profile foo /foo (audit) {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }), # XXX - (' profile "foo" "/foo" {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX - (' profile "foo bar" /foo {', { 'profile': 'foo bar /foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX - # XXX lines marked with XXX include the "broken" behaviour for 'profile' - they need to be changed when attachment is handled correctly + (' profile foo /foo {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), + (' profile foo /foo (audit) {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }), + (' profile "foo" "/foo" {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), + (' profile "foo bar" /foo {', { 'profile': 'foo bar', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar', 'attachment': '/foo', 'flags': None, 'comment': None }), (' /foo (complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }), (' /foo flags=(complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }), (' /foo (complain) { # x', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': '# x'}), Regards, Christian Boltz -- Wenn schon, dann höchstens Homo Sapiens Sapiens XEmacensis, die Entwicklungslinie, die im Laufe der Evolution sieben Finger an jeder Hand entwickelt hat. Und das alles nur um alle Tastenkürzel zur Bedienung von XEmacs nutzen zu können. [T. Templin über David Haller] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor