Re: [apparmor] Fun with libapparmor build

2015-04-13 Thread Steve Beattie
On Sun, Apr 12, 2015 at 03:09:04PM +0200, Christian Boltz wrote: > Hello, > > Am Donnerstag, 9. April 2015 schrieb Tyler Hicks: > > On 2015-04-06 21:02:16, Christian Boltz wrote: > > > "make distclean" shrinks the list a bit: > > > > > > unknown: > > > libraries/libapparmor/test-driver > > >

Re: [apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules

2015-04-13 Thread Steve Beattie
On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote: > Hello, > > CleanProf.remove_duplicate_rules() didn't call > $profile['capability'].delete_duplicates() > because aa-cleanprof sets same_file=True. > > Fix this by calling delete_duplicates(None) so that it > only checks the prof

Re: [apparmor] [patch] AATest: don't limit diff length

2015-04-13 Thread Steve Beattie
On Sat, Apr 11, 2015 at 08:23:09PM +0200, Christian Boltz wrote: > this patch adds setUp() to AATest that sets "self.maxDiff = None" > (unlimited). This gives us unlimited array diffs everywhere where AATest > is used. > === modified file utils/test/common_test.py > --- utils/test/common_test.py

Re: [apparmor] [patch] Add a missing check in rule class is_covered()

2015-04-13 Thread Steve Beattie
On Sat, Apr 11, 2015 at 10:34:54PM +0200, Christian Boltz wrote: > "capability foo".is_covered("deny capability foo") should return False > even if check_allow_deny is False. > > Also add some tests with check_allow_deny=False. > > [ 40-ruleclass-is_covered-check-deny.diff ] Acked-by: Steve Beatt

Re: [apparmor] Fun with libapparmor build

2015-04-13 Thread Tyler Hicks
On 2015-04-12 15:09:04, Christian Boltz wrote: > Hello, > > Am Donnerstag, 9. April 2015 schrieb Tyler Hicks: > > On 2015-04-06 21:02:16, Christian Boltz wrote: > > > "make distclean" shrinks the list a bit: > > > > > > unknown: > > > libraries/libapparmor/test-driver > > > libraries/libappar

[apparmor] Provide public function to split confinement contexts

2015-04-13 Thread Tyler Hicks
The libapparmor aa_getcon(2) family of functions retrieves a confinement context from the kernel and splits it up into separate label and mode strings. The logic for splitting a confinement context has always been internal to libapparmor. However, there is now a need to make the splitting functiona

[apparmor] [PATCH 4/6] libapparmor: Detect errors when splitting confinement contexts

2015-04-13 Thread Tyler Hicks
The parse_confinement_mode() function returned NULL when a confinement mode was not present (unconfined) and when it could not properly parse the confinement context. The two situations should be differentiated since the latter should be treated as an error. This patch reworks parse_confinement_mo

[apparmor] [PATCH 5/6] libapparmor: Add aa_splitcon() public function

2015-04-13 Thread Tyler Hicks
Create a new libapparmor public function that allows external code to split an AppArmor confinement context. This is immediately useful for code that retrieves a D-Bus peer's AppArmor confinement context using the org.freedesktop.DBus.GetConnectionCredentials bus method. https://launchpad.net/bug

[apparmor] [PATCH 3/6] libapparmor: Clean up confinement context's unconfined check

2015-04-13 Thread Tyler Hicks
Use the passed in confinement context string size to improve the comparison by only doing the string comparison if the size matches and removing the possibility of reading past the end of the buffer. Signed-off-by: Tyler Hicks --- libraries/libapparmor/src/kernel.c | 19 +-- 1 fi

[apparmor] [PATCH 6/6] libapparmor: Add unit tests for aa_splitcon()

2015-04-13 Thread Tyler Hicks
Test confinement context splitting, using aa_splitcon(3), with and without a valid mode pointer. Signed-off-by: Tyler Hicks --- libraries/libapparmor/src/Makefile.am | 6 +- libraries/libapparmor/src/tst_kernel.c | 133 + 2 files changed, 138 insertions(+), 1 d

[apparmor] [PATCH 2/6] libapparmor: Don't count NUL terminator byte

2015-04-13 Thread Tyler Hicks
When passing the size of the confinement context to parse_confinement_mode(), don't include the NUL terminator byte in the size. It is confusing to count the NUL terminator as part of the string's length. This change makes it so that, after a few additional changes, parse_confinement_mode() can be

[apparmor] [PATCH 1/6] tests: Verify aa_getpeercon() return value

2015-04-13 Thread Tyler Hicks
This patch modifies the socketpair.c test to verify the return value of aa_getpeercon() based upon the expected label and expected mode lengths. The test had to be changed slightly so that the returned mode, from aa_getpeercon(), was preserved. It was being overwritten with the special NO_MODE val

Re: [apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules

2015-04-13 Thread Christian Boltz
Hello, Am Montag, 13. April 2015 schrieb Steve Beattie: > On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote: > > CleanProf.remove_duplicate_rules() didn't call > > $profile['capability'].delete_duplicates() > > because aa-cleanprof sets same_file=True. > > > > Fix this by calling d

Re: [apparmor] [patch] AATest: don't limit diff length

2015-04-13 Thread Christian Boltz
Hello, Am Montag, 13. April 2015 schrieb Steve Beattie: > On Sat, Apr 11, 2015 at 08:23:09PM +0200, Christian Boltz wrote: > > this patch adds setUp() to AATest that sets "self.maxDiff = None" > > (unlimited). This gives us unlimited array diffs everywhere where > > AATest is used. > > > > === mo

Re: [apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules

2015-04-13 Thread Steve Beattie
On Tue, Apr 14, 2015 at 12:50:26AM +0200, Christian Boltz wrote: > Hello, > > Am Montag, 13. April 2015 schrieb Steve Beattie: > > On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote: > > > CleanProf.remove_duplicate_rules() didn't call > > > $profile['capability'].delete_duplicates(