[apparmor] [Patch] - Dump preprocessed profile output
Steve Beattie
sbeattie at ubuntu.com
Sun Jul 18 03:31:11 BST 2010
On Tue, Jun 29, 2010 at 12:48:20PM -0700, John Johansen wrote:
> Sorry, I thought I had done that already. I would like to
> nominate -p for 2.5.1 as it makes debugging a lot easier,
> in that you can ask people for processed file and know you
> are consistent with their includes.
ACK'ed for 2.5.1. I pulled the patch you submitted along with the added
bit to document it in the manpage (essentially trunk:r1419 with the -o
bits pulled out.
Thanks, JJ.
On Fri, Jun 25, 2010 at 10:06:49PM -0700, John Johansen wrote:
> This patch adds back in the -p flag, allowing the dumping of a
> flattened profile to stdout.
>
> It currently does not do anymore than flattening the include
> files. The expansions of variables etc can be added later.
>
> === modified file 'parser/parser.h'
> ---
> parser/parser.h | 2 -
> parser/parser_lex.l | 74 +++++++++++++++++++++++++++++++++++++++++++--------
> parser/parser_main.c | 16 +++++++++--
> 3 files changed, 78 insertions(+), 14 deletions(-)
>
> --- parser/parser.h.orig
> +++ parser/parser.h
> @@ -182,7 +182,7 @@
> extern int flag_changehat_version;
> extern int read_implies_exec;
> extern dfaflags_t dfaflags;
> -
> +extern int preprocess_only;
>
> #define PATH_CHROOT_REL 0x1
> #define PATH_NS_REL 0x2
> --- parser/parser_lex.l.orig
> +++ parser/parser_lex.l
> @@ -49,6 +49,8 @@
> #endif
> #define NPDEBUG(fmt, args...) /* Do nothing */
>
> +#define DUMP_PREPROCESS do { if (preprocess_only) ECHO; } while (0)
> +
> int current_lineno = 1;
> char *current_filename = NULL;
>
> @@ -81,8 +83,12 @@
> char *fullpath = NULL;
>
> if (search) {
> + if (preprocess_only)
> + fprintf(yyout, "\n\n##included <%s>\n", filename);
> include_file = search_path(filename, &fullpath);
> } else {
> + if (preprocess_only)
> + fprintf(yyout, "\n\n##included \"%s\"\n", filename);
> fullpath = strdup(filename);
> include_file = fopen(fullpath, "r");
> }
> @@ -246,6 +252,7 @@
> * a longer match). So now, when I want to
> * match any random string, I go into a
> * separate state. */
> + DUMP_PREPROCESS;
> yylval.id = processunquoted(yytext, yyleng);
> PDEBUG("Found sub name: \"%s\"\n", yylval.id);
> BEGIN(INITIAL);
> @@ -259,6 +266,7 @@
> * a longer match). So now, when I want to
> * match any random string, I go into a
> * separate state. */
> + DUMP_PREPROCESS;
> yylval.id = processquoted(yytext, yyleng);
> PDEBUG("Found sub name: \"%s\"\n", yylval.id);
> BEGIN(INITIAL);
> @@ -266,6 +274,7 @@
> }
>
> [^\n] {
> + DUMP_PREPROCESS;
> /* Something we didn't expect */
> yyerror(_("Found unexpected character: '%s'"), yytext);
> }
> @@ -280,6 +289,7 @@
> * a longer match). So now, when I want to
> * match any random string, I go into a
> * separate state. */
> + DUMP_PREPROCESS;
> yylval.id = processunquoted(yytext, yyleng);
> PDEBUG("Found sub name: \"%s\"\n", yylval.id);
> BEGIN(INITIAL);
> @@ -293,14 +303,16 @@
> * a longer match). So now, when I want to
> * match any random string, I go into a
> * separate state. */
> + DUMP_PREPROCESS;
> yylval.id = processquoted(yytext, yyleng);
> PDEBUG("Found sub name: \"%s\"\n", yylval.id);
> BEGIN(INITIAL);
> return TOK_ID;
> }
>
> - {WS}+ { /* Ignoring whitespace */ }
> + {WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
> [^\n] {
> + DUMP_PREPROCESS;
> /* Something we didn't expect */
> yyerror(_("Found unexpected character: '%s'"), yytext);
> }
> @@ -308,85 +320,99 @@
>
> <FLAGS_MODE>{
> {FLAGOPEN_PAREN} {
> + DUMP_PREPROCESS;
> PDEBUG("FLag (\n");
> return TOK_FLAG_OPENPAREN;
> }
> {FLAGCLOSE_PAREN} {
> + DUMP_PREPROCESS;
> PDEBUG("Flag )\n");
> BEGIN(INITIAL);
> return TOK_FLAG_CLOSEPAREN;
> }
>
> - {WS}+ { /* Eat whitespace */ }
> + {WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
>
> {FLAGSEP} {
> + DUMP_PREPROCESS;
> PDEBUG("Flag , \n");
> return TOK_FLAG_SEP;
> }
>
> {EQUALS} {
> + DUMP_PREPROCESS;
> PDEBUG("Flag = \n");
> return TOK_EQUALS;
> }
> {KEYWORD} {
> + DUMP_PREPROCESS;
> yylval.flag_id = strdup(yytext);
> PDEBUG("Found flag: \"%s\"\n", yylval.flag_id);
> return TOK_FLAG_ID;
> }
>
> [^\n] {
> + DUMP_PREPROCESS;
> /* Something we didn't expect */
> yyerror(_("Found unexpected character: '%s'"), yytext);
> }
> }
>
> <ASSIGN_MODE>{
> - {WS}+ { /* Eat whitespace */ }
> + {WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
>
> {ID}+ {
> + DUMP_PREPROCESS;
> yylval.var_val = processunquoted(yytext, yyleng);
> PDEBUG("Found assignment value: \"%s\"\n", yylval.var_val);
> return TOK_VALUE;
> }
>
> {QUOTED_ID} {
> + DUMP_PREPROCESS;
> yylval.var_val = processquoted(yytext, yyleng);
> PDEBUG("Found assignment value: \"%s\"\n", yylval.var_val);
> return TOK_VALUE;
> }
>
> - \\\n { current_lineno++ ; }
> + \\\n { DUMP_PREPROCESS; current_lineno++ ; }
>
> \r?\n {
> + DUMP_PREPROCESS;
> current_lineno++;
> BEGIN(INITIAL);
> }
> }
>
> <NETWORK_MODE>{
> - {WS}+ { /* Eat whitespace */ }
> + {WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
>
> {ID}+ {
> + DUMP_PREPROCESS;
> yylval.id = strdup(yytext);
> return TOK_ID;
> }
> {END_OF_RULE} {
> + DUMP_PREPROCESS;
> BEGIN(INITIAL);
> return TOK_END_OF_RULE;
> }
> [^\n] {
> + DUMP_PREPROCESS;
> /* Something we didn't expect */
> yylval.id = strdup(yytext);
> yyerror(_("(network_mode) Found unexpected character: '%s'"), yylval.id);
> }
>
> \r?\n {
> + DUMP_PREPROCESS;
> current_lineno++;
> }
> }
>
> <CHANGE_PROFILE_MODE>{
> {ARROW} {
> + DUMP_PREPROCESS;
> PDEBUG("Matched a change profile arrow\n");
> return TOK_ARROW;
> }
> @@ -399,6 +425,7 @@
> * a longer match). So now, when I want to
> * match any random string, I go into a
> * separate state. */
> + DUMP_PREPROCESS;
> yylval.id = processunquoted(yytext, yyleng);
> PDEBUG("Found change profile name: \"%s\"\n", yylval.id);
> BEGIN(INITIAL);
> @@ -412,14 +439,16 @@
> * a longer match). So now, when I want to
> * match any random string, I go into a
> * separate state. */
> + DUMP_PREPROCESS;
> yylval.id = processquoted(yytext, yyleng);
> PDEBUG("Found change profile quoted name: \"%s\"\n", yylval.id);
> BEGIN(INITIAL);
> return TOK_ID;
> }
>
> - {WS}+ { /* Ignoring whitespace */ }
> + {WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
> [^\n] {
> + DUMP_PREPROCESS;
> /* Something we didn't expect */
> yyerror(_("Found unexpected character: '%s'"), yytext);
> }
> @@ -431,122 +460,143 @@
> }
>
> #.*\r?\n { /* normal comment */
> + DUMP_PREPROCESS;
> PDEBUG("comment(%d): %s\n", current_lineno, yytext);
> current_lineno++;
> BEGIN(INITIAL);
> }
>
> -{END_OF_RULE} { return TOK_END_OF_RULE; }
> +{END_OF_RULE} { DUMP_PREPROCESS; return TOK_END_OF_RULE; }
>
> {SEPARATOR} {
> + DUMP_PREPROCESS;
> PDEBUG("Matched a separator\n");
> BEGIN(SUB_NAME);
> return TOK_SEP;
> }
> {ARROW} {
> + DUMP_PREPROCESS;
> PDEBUG("Matched a arrow\n");
> return TOK_ARROW;
> }
> {EQUALS} {
> + DUMP_PREPROCESS;
> PDEBUG("Matched equals for assignment\n");
> BEGIN(ASSIGN_MODE);
> return TOK_EQUALS;
> }
> {ADD_ASSIGN} {
> + DUMP_PREPROCESS;
> PDEBUG("Matched additive value assignment\n");
> BEGIN(ASSIGN_MODE);
> return TOK_ADD_ASSIGN;
> }
> <RLIMIT_MODE>{
> - {WS}+ { /* Eat whitespace */ }
> + {WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
>
>
> -?{NUMBER}[kKMG]? {
> + DUMP_PREPROCESS;
> yylval.var_val = strdup(yytext);
> return TOK_VALUE;
> }
>
> {KEYWORD} {
> + DUMP_PREPROCESS;
> yylval.id = strdup(yytext);
> if (strcmp(yytext, "infinity") == 0)
> return TOK_VALUE;
> return TOK_ID;
> }
>
> - {LT_EQUAL} { return TOK_LE; }
> + {LT_EQUAL} { DUMP_PREPROCESS; return TOK_LE; }
>
> {END_OF_RULE} {
> + DUMP_PREPROCESS;
> BEGIN(INITIAL);
> return TOK_END_OF_RULE;
> }
>
> \\\n {
> + DUMP_PREPROCESS;
> current_lineno++;
> BEGIN(INITIAL);
> }
>
> \r?\n {
> + DUMP_PREPROCESS;
> current_lineno++;
> BEGIN(INITIAL);
> }
> }
>
> {SET_VARIABLE} {
> + DUMP_PREPROCESS;
> yylval.set_var = strdup(yytext);
> PDEBUG("Found set variable %s\n", yylval.set_var);
> return TOK_SET_VAR;
> }
>
> {BOOL_VARIABLE} {
> + DUMP_PREPROCESS;
> yylval.bool_var = strdup(yytext);
> PDEBUG("Found boolean variable %s\n", yylval.bool_var);
> return TOK_BOOL_VAR;
> }
>
> {OPEN_BRACE} {
> + DUMP_PREPROCESS;
> PDEBUG("Open Brace\n");
> return TOK_OPEN;
> }
> {CLOSE_BRACE} {
> + DUMP_PREPROCESS;
> PDEBUG("Close Brace\n");
> return TOK_CLOSE;
> }
>
> {PATHNAME} {
> + DUMP_PREPROCESS;
> yylval.id = processunquoted(yytext, yyleng);
> PDEBUG("Found id: \"%s\"\n", yylval.id);
> return TOK_ID;
> }
>
> {QPATHNAME} {
> + DUMP_PREPROCESS;
> yylval.id = processquoted(yytext, yyleng);
> PDEBUG("Found id: \"%s\"\n", yylval.id);
> return TOK_ID;
> }
>
> {MODES} {
> + DUMP_PREPROCESS;
> yylval.mode = strdup(yytext);
> PDEBUG("Found modes: %s\n", yylval.mode);
> return TOK_MODE;
> }
>
> {HAT} {
> + DUMP_PREPROCESS;
> BEGIN(SUB_NAME2);
> return TOK_HAT;
> }
>
> {COLON} {
> + DUMP_PREPROCESS;
> PDEBUG("Found a colon\n");
> return TOK_COLON;
> }
>
> {FLAGOPEN_PAREN} {
> + DUMP_PREPROCESS;
> PDEBUG("FLag (\n");
> BEGIN(FLAGS_MODE);
> return TOK_FLAG_OPENPAREN;
> }
>
> {VARIABLE_NAME} {
> + DUMP_PREPROCESS;
> int token = get_keyword_token(yytext);
>
> /* special cases */
> @@ -578,11 +628,13 @@
> return token;
> }
>
> -{WS}+ { /* Ignoring whitespace */ }
> +{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
>
> -\r?\n { current_lineno++ ; }
> +\r?\n { DUMP_PREPROCESS; current_lineno++ ; }
>
> [^\n] {
> + DUMP_PREPROCESS;
> +
> /* Something we didn't expect */
> yyerror(_("Found unexpected character: '%s'"), yytext);
> }
> --- parser/parser_main.c.orig
> +++ parser/parser_main.c
> @@ -80,6 +80,7 @@
> #else
> int read_implies_exec = 0;
> #endif
> +int preprocess_only = 0;
>
> char *subdomainbase = NULL;
> char *match_string = NULL;
> @@ -123,6 +124,7 @@
> {"Dump", 1, 0, 'D'},
> {"optimize", 1, 0, 'O'},
> {"Optimize", 1, 0, 'O'},
> + {"preprocess", 0, 0, 'p'},
> {NULL, 0, 0, 0},
> };
>
> @@ -162,9 +164,10 @@
> "-Q, --skip-kernel-load Do everything except loading into kernel\n"
> "-V, --version Display version info and exit\n"
> "-d, --debug Debug apparmor definitions\n"
> + "-p, --preprocess Dump preprocessed profile\n"
> "-D [n], --dump Dump internal info for debugging\n"
> "-O [n], --Optimize Control dfa optimizations\n"
> - "-h [command], --help Display this text or info about command\n"
> + "-h [cmd], --help[=cmd] Display this text or info about cmd\n"
> ,command);
> }
>
> @@ -248,7 +251,7 @@
> int count = 0;
> option = OPTION_ADD;
>
> - while ((c = getopt_long(argc, argv, "adf:h::rRVvI:b:BCD:NSm:qQn:XKTWkO:", long_options, &o)) != -1)
> + while ((c = getopt_long(argc, argv, "adf:h::rRVvI:b:BCD:NSm:qQn:XKTWkO:p", long_options, &o)) != -1)
> {
> switch (c) {
> case 0:
> @@ -439,6 +442,12 @@
> case 'Q':
> kernel_load = 0;
> break;
> + case 'p':
> + count++;
> + kernel_load = 0;
> + skip_cache = 1;
> + preprocess_only = 1;
> + break;
> default:
> display_usage(progname);
> exit(0);
> @@ -807,6 +816,9 @@
> if (retval != 0)
> goto out;
>
> + if (preprocess_only)
> + goto out;
> +
> if (names_only) {
> dump_policy_names();
> goto out;
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100717/d7090881/attachment.pgp
More information about the AppArmor
mailing list