Hello,
and finally...
*drumroll*
This patch implements attachment handling - aa-logprof now works with
profiles that have an attachment defined, instead of ignoring audit.log
entries for those profiles.
Changes:
- parse_profile_start_line(): remove workaround that merged the
attachment into the profile name
- parse_profile_data(): store attachment when parsing a profile
- update test_parse_profile_start_03, test_serialize_parse_profile_start_03
and some parse_profile_start_line() tests - they now expect correct
attachment handling
Note: this patch is not fully covered by tests.
I manually tested aa-logprof with some profiles with and without
attachment, and it works for both.
As usual, I propose this patch for trunk and 2.9 (I do that for all
patches in this series, even if I forgot to mention it in some patches ;-)
[ 22-handle-profiles-with-attachment.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-03-15 21:35:16.783039264 +0100
+++ utils/apparmor/aa.py 2015-03-15 19:54:49.636222101 +0100
@@ -2683,6 +2683,8 @@
# Starting line of a profile
if RE_PROFILE_START.search(line):
(profile, hat, attachment, flags, in_contained_hat,
pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file,
lineno, profile, hat)
+ if attachment:
+ profile_data[profile][hat]['attachment'] = attachment
if pps_set_profile:
profile_data[profile][hat]['profile'] = True
if pps_set_hat_external:
=== modified file utils/apparmor/regex.py
--- utils/apparmor/regex.py 2015-03-15 21:33:33.805124635 +0100
+++ utils/apparmor/regex.py 2015-03-15 21:20:04.319971984 +0100
@@ -100,10 +101,6 @@
result['profile'] = result['namedprofile']
result['profile_keyword'] = True
- if result['attachment']:
- # XXX keep the broken behaviour until proper handling for attachment
is implemented
- result['profile'] = "%s %s" % (result['profile'], result['attachment'])
-
return result
=== modified file utils/test/test-aa.py
--- utils/test/test-aa.py 2015-03-15 21:35:16.785039145 +0100
+++ utils/test/test-aa.py 2015-03-15 21:13:26.107513804 +0100
@@ -277,7 +277,7 @@
def test_parse_profile_start_03(self):
result = self._parse('profile foo /foo {', None, None) # named profile
- expected = ('foo /foo', 'foo /foo', '/foo', None, False, False, False)
# XXX yes, that's what happens with the current code :-/
+ expected = ('foo', 'foo', '/foo', None, False, False, False)
self.assertEqual(result, expected)
def test_parse_profile_start_04(self):
@@ -361,7 +361,7 @@
def test_serialize_parse_profile_start_03(self):
result = self._parse('profile foo /foo {', None, None, False, False) #
named profile
- expected = ('foo /foo', 'foo /foo', '/foo', None, False, True) # XXX
yes, that's what happens with the current code :-/
+ expected = ('foo', 'foo', '/foo', None, False, True)
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_04(self):
=== modified file utils/test/test-regex_matches.py
--- utils/test/test-regex_matches.py 2015-03-15 21:33:33.807124517 +0100
+++ utils/test/test-regex_matches.py 2015-03-13 23:20:42.101128329 +0100
@@ -427,11 +427,10 @@
(' "/foo" {', { 'profile': '/foo',
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,
'attachment': None, 'flags': None, 'comment': None }),
(' profile /foo {', { 'profile': '/foo',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo',
'attachment': None, 'flags': None, 'comment': None }),
(' profile "/foo" {', { 'profile': '/foo',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo',
'attachment': None, 'flags': None, 'comment': None }),
- (' profile foo /foo {', { 'profile': 'foo
/foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo',
'attachment': '/foo', 'flags': None, 'comment': None }), # XXX
- (' profile foo /foo (audit) {', { 'profile': 'foo
/foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo',
'attachment': '/foo', 'flags': 'audit', 'comment': None }), # XXX
- (' profile "foo" "/foo" {', { 'profile': 'foo
/foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo',
'attachment': '/foo', 'flags': None, 'comment': None }), # XXX
- (' profile "foo bar" /foo {', { 'profile': 'foo bar /foo',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar',
'attachment': '/foo', 'flags': None, 'comment': None }), # XXX
- # XXX lines marked with XXX include the "broken" behaviour for
'profile' - they need to be changed when attachment is handled correctly
+ (' profile foo /foo {', { 'profile': 'foo',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo',
'attachment': '/foo', 'flags': None, 'comment': None }),
+ (' profile foo /foo (audit) {', { 'profile': 'foo',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo',
'attachment': '/foo', 'flags': 'audit', 'comment': None }),
+ (' profile "foo" "/foo" {', { 'profile': 'foo',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo',
'attachment': '/foo', 'flags': None, 'comment': None }),
+ (' profile "foo bar" /foo {', { 'profile': 'foo bar',
'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar',
'attachment': '/foo', 'flags': None, 'comment': None }),
(' /foo (complain) {', { 'profile': '/foo',
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,
'attachment': None, 'flags': 'complain', 'comment': None }),
(' /foo flags=(complain) {', { 'profile': '/foo',
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,
'attachment': None, 'flags': 'complain', 'comment': None }),
(' /foo (complain) { # x', { 'profile': '/foo',
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,
'attachment': None, 'flags': 'complain', 'comment': '# x'}),
Regards,
Christian Boltz
--
Wenn schon, dann höchstens Homo Sapiens Sapiens XEmacensis, die
Entwicklungslinie, die im Laufe der Evolution sieben Finger an jeder
Hand entwickelt hat. Und das alles nur um alle Tastenkürzel zur
Bedienung von XEmacs nutzen zu können. [T. Templin über David Haller]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
