Re: [apparmor] [patch] Finally implement attachment handling

Christian Boltz Thu, 02 Apr 2015 03:06:13 -0700

Hello,

Am Sonntag, 15. März 2015 schrieb Christian Boltz:
> Am Sonntag, 15. März 2015 schrieb Christian Boltz:
> > and finally...
> >
> > *drumroll*
> >
> > This patch implements attachment handling - aa-logprof now works
> > with
> > profiles that have an attachment defined, instead of ignoring
> > audit.log entries for those profiles.
> >
> > 
> >
> > Changes:
> > - parse_profile_start_line(): remove workaround that merged the
> >
> >   attachment into the profile name
> >
> > - parse_profile_data(): store attachment when parsing a profile
> > - update test_parse_profile_start_03,
> > test_serialize_parse_profile_start_03 and some
> > parse_profile_start_line() tests - they now expect correct
> > attachment
> > handling
> >
> > 
> >
> > Note: this patch is not fully covered by tests.
> > I manually tested aa-logprof with some profiles with and without
> > attachment, and it works for both.
> >
> > 
> >
> > As usual, I propose this patch for trunk and 2.9 (I do that for all 
> > patches in this series, even if I forgot to mention it in some
> > patches ;-)
> 
> Here's v2 - the only change is an update to
> test_set_flags_nochange_09() which I missed before.


After the whitespace changes in patch 20, this patch failed to apply.
Here's v3 that adopts to the whitespace changes in test-regex_matches.py


[ 22-handle-profiles-with-attachment.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-04-02 11:48:17.658643651 +0200
+++ utils/apparmor/aa.py        2015-04-02 11:48:38.750444605 +0200
@@ -2683,6 +2683,8 @@
         # Starting line of a profile
         if RE_PROFILE_START.search(line):
             (profile, hat, attachment, flags, in_contained_hat, 
pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, 
lineno, profile, hat)
+            if attachment:
+                profile_data[profile][hat]['attachment'] = attachment
             if pps_set_profile:
                 profile_data[profile][hat]['profile'] = True
             if pps_set_hat_external:
=== modified file utils/apparmor/regex.py
--- utils/apparmor/regex.py     2015-04-02 11:43:19.788471155 +0200
+++ utils/apparmor/regex.py     2015-04-02 11:48:38.750444605 +0200
@@ -100,10 +100,6 @@
         result['profile'] = result['namedprofile']
         result['profile_keyword'] = True
 
-    if result['attachment']:
-        # XXX keep the broken behaviour until proper handling for attachment 
is implemented
-        result['profile'] = "%s %s" % (result['profile'], result['attachment'])
-
     return result
 
 
=== modified file utils/test/test-aa.py
--- utils/test/test-aa.py       2015-04-02 11:48:17.661643480 +0200
+++ utils/test/test-aa.py       2015-04-02 11:48:38.750444605 +0200
@@ -151,7 +151,7 @@
     def test_set_flags_nochange_08(self):
         self._test_set_flags('profile /foo', 'flags=(complain)', 'complain')
     def test_set_flags_nochange_09(self):
-        self._test_set_flags('profile xy /foo', 'flags=(complain)', 
'complain', profile_name='xy /foo') # XXX profile_name should be 'xy'
+        self._test_set_flags('profile xy /foo', 'flags=(complain)', 
'complain', profile_name='xy')
     def test_set_flags_nochange_10(self):
         self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 
'complain', profile_name='/foo bar')
     #def test_set_flags_nochange_11(self):
@@ -277,7 +277,7 @@
 
     def test_parse_profile_start_03(self):
         result = self._parse('profile foo /foo {', None, None) # named profile
-        expected = ('foo /foo', 'foo /foo', '/foo', None, False, False, False) 
# XXX yes, that's what happens with the current code :-/
+        expected = ('foo', 'foo', '/foo', None, False, False, False)
         self.assertEqual(result, expected)
 
     def test_parse_profile_start_04(self):
@@ -361,7 +361,7 @@
 
     def test_serialize_parse_profile_start_03(self):
         result = self._parse('profile foo /foo {', None, None, False, False) # 
named profile
-        expected = ('foo /foo', 'foo /foo', '/foo', None, False, True) # XXX 
yes, that's what happens with the current code :-/
+        expected = ('foo', 'foo', '/foo', None, False, True)
         self.assertEqual(result, expected)
 
     def test_serialize_parse_profile_start_04(self):
=== modified file utils/test/test-regex_matches.py
--- utils/test/test-regex_matches.py    2015-04-02 11:36:35.675152811 +0200
+++ utils/test/test-regex_matches.py    2015-04-02 11:54:34.836104606 +0200
@@ -429,11 +429,10 @@
         ('   "/foo" {',                   { 'profile': '/foo',    
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,   
'attachment': None,   'flags': None,       'comment': None }),
         ('   profile /foo {',             { 'profile': '/foo',    
'profile_keyword': True,  'plainprofile': None,   'namedprofile': '/foo', 
'attachment': None,   'flags': None,       'comment': None }),
         ('   profile "/foo" {',           { 'profile': '/foo',    
'profile_keyword': True,  'plainprofile': None,   'namedprofile': '/foo', 
'attachment': None,   'flags': None,       'comment': None }),
-        ('   profile foo /foo {',         { 'profile': 'foo 
/foo','profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',  
'attachment': '/foo', 'flags': None,       'comment': None }), # XXX
-        ('   profile foo /foo (audit) {', { 'profile': 'foo 
/foo','profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',  
'attachment': '/foo', 'flags': 'audit',    'comment': None }), # XXX
-        ('   profile "foo" "/foo" {',     { 'profile': 'foo 
/foo','profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',  
'attachment': '/foo', 'flags': None,       'comment': None }), # XXX
-        ('   profile "foo bar" /foo {',   { 'profile': 'foo bar /foo', 
'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo bar',    
 'attachment': '/foo',   'flags': None,       'comment': None }), # XXX
-        # XXX lines marked with XXX include the "broken" behaviour for 
'profile' - they need to be changed when attachment is handled correctly
+        ('   profile foo /foo {',         { 'profile': 'foo',     
'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',  
'attachment': '/foo', 'flags': None,       'comment': None }),
+        ('   profile foo /foo (audit) {', { 'profile': 'foo',     
'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',  
'attachment': '/foo', 'flags': 'audit',    'comment': None }),
+        ('   profile "foo" "/foo" {',     { 'profile': 'foo',     
'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',  
'attachment': '/foo', 'flags': None,       'comment': None }),
+        ('   profile "foo bar" /foo {',   { 'profile': 'foo bar', 
'profile_keyword': True,  'plainprofile': None, 'namedprofile': 'foo 
bar','attachment': '/foo', 'flags': None,    'comment': None }),
         ('   /foo (complain) {',          { 'profile': '/foo',    
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,   
'attachment': None,   'flags': 'complain', 'comment': None }),
         ('   /foo flags=(complain) {',    { 'profile': '/foo',    
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,   
'attachment': None,   'flags': 'complain', 'comment': None }),
         ('   /foo (complain) { # x',      { 'profile': '/foo',    
'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,   
'attachment': None,   'flags': 'complain', 'comment': '# x'}),



Regards,

Christian Boltz
-- 
Jedes meiner Postings ist alt genug, um für sich selbst zu sprechen.
Ich übernehme keinerlei Verantwortung für das Verhalten meiner Mails.


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] Finally implement attachment handling

Reply via email to