[apparmor] GSoC review r68 and r69

Christian Boltz apparmor at cboltz.de
Sat Sep 21 22:43:52 UTC 2013 

Hello,

the review for r68 is attached - it contains some small issues and a 
set of fresh bugs I found while doing some tests.

r69 passed my review without complaints ;-)


@John (and whoever else wants to answer)

I also have an interesting question about behaviour of 
    aa-audit /bin/ping

The profile starts with
    /{usr/,}bin/ping {
so it's, strictly speaking, two profiles in one.

The interesting question is what the correct behaviour is because 
besides setting the profile for /bin/ping to audit mode (expected)
it would also set the profile for /usr/bin/ping to audit mode (not expected)

OTOH, the current behaviour of aa-audit (error message saying that 
/bin/ping does not exist) also is not expected and will terribly confuse 
users.

What should "aa-audit /bin/ping" do in this case?

(aa-audit is just an example - the same question applies to all aa-* tools
that change profile flags.)


Regards,

Christian Boltz
-- 
> which camera is this?
Marcus, this is my bug :)
[Marcus Meissner and Stephan Kulow in
https://bugzilla.novell.com/show_bug.cgi?id=217731]
-------------- next part --------------
------------------------------------------------------------
revno: 68
committer: Kshitij Gupta <kgupta8592 at gmail.com
branch nick: apparmor-profile-tools
timestamp: Sat 2013-09-21 12:36:51 +0530
message:
  Fixed flag  reader and writer to be able to set unset flag for a specific
  target program also fixed tests for mini tools to be independent of existence
  of ntpd



=== modified file 'Tools/aa-complain'
--- Tools/aa-complain	2013-09-19 05:02:19 +0000
+++ Tools/aa-complain	2013-09-21 07:06:51 +0000
@@ -11,5 +11,5 @@
 complain = apparmor.tools.aa_tools('complain', args)
-
+print(args)

# debugging code?


=== modified file 'apparmor/aa.py'
--- apparmor/aa.py	2013-09-20 19:38:34 +0000
+++ apparmor/aa.py	2013-09-21 07:06:51 +0000
-def get_profile_flags(filename):
+def get_profile_flags(filename, program):
     # To-Do
     # XXX If more than one profile in a file then second one is being ignored XXX
     # Do we return flags for both or 

# with the change below, the To-Do seems solved

# you'll also need to fix
# Tools/aa-genprof:    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename)
# to use two parameters

@@ -564,13 +564,17 @@
     with open_file_read(filename) as f_in:
         for line in f_in:
             if RE_PROFILE_START.search(line):
-                flags = RE_PROFILE_START.search(line).groups()[6]
-                return flags
+                matches = RE_PROFILE_START.search(line).groups()
+                profile = matches[1] or matches[3]
+                flags = matches[6]
+                if profile == program:
+                    return flags
 
     raise AppArmorException(_('%s contains no profile')%filename)

# with the above change, the error message should probably be
#     '%(filename)s contains no profile for %(program)s'



-def change_profile_flags(filename, flag, set_flag):
-    old_flags = get_profile_flags(filename)
+def change_profile_flags(filename, program, flag, set_flag):
+    old_flags = get_profile_flags(filename, program)
+    print(old_flags)

# debugging code?






# Testing results:

# logprof doesn't expand aliases correctly:
# (sorry for the german parts, but I'm quite sure you'll understand what is happening ;-)


Profil:      /{usr/,}bin/ping
Pfad:        /home/sys-var/run/nscd/dbVSXZwf
Modus:       r
Schweregrad: 4

 [1 - /home/sys-var/run/nscd/dbVSXZwf]
  2 - /home/*/run/nscd/dbVSXZwf 
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore

Neuen Pfad eingeben: /var/run/nscd/db*

The specified path does not match this log entry:

  Log Entry: /home/sys-var/run/nscd/dbVSXZwf
  Entered Path:  /var/run/nscd/db*
Do you really want to use this path?

(J)a / [(N)ein]

Profil:      /{usr/,}bin/ping
Pfad:        /home/sys-var/run/nscd/dbVSXZwf
Modus:       r
Schweregrad: 4

  1 - /home/sys-var/run/nscd/dbVSXZwf 
  2 - /home/*/run/nscd/dbVSXZwf 
 [3 - /var/run/nscd/db*]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
Adding /var/run/nscd/db* r to profile

Profil:      /{usr/,}bin/ping
Pfad:        /home/sys-var/run/nscd/dbwvkZpy
Modus:       r
Schweregrad: 4

# # cat /etc/apparmor.d/tunables/alias
# alias /var/ -> /home/sys-var/,
# alias /tmp/ -> /home/sys-tmp/,
#
# -> logprof should not ask /home/sys-var/run/nscd/dbwvkZpy because it's covered by /var/run/nscd/db* (with the alias applied)
# 
# in fact, it should not ask ask for /home/sys-var/run/nscd/db* at all because the /bin/ping profile includes abstractions/nameservice
# which already contains   /{,var/}run/nscd/db*  rmix,





# let's write one of the changed profiles...

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /home/cb/bin/lj_make_galerie.sh]
  2 - /usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread 
  3 - /{usr/,}bin/ping 
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
# pressed 't'
Aktualisiertes Profil fÃŒr /home/cb/bin/lj_make_galerie.sh wird geschrieben.
Traceback (most recent call last):
  File "aa-logprof", line 29, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/usr/lib/python2.7/site-packages/apparmor/aa.py", line 2212, in do_logprof_pass
    save_profiles()
  File "/usr/lib/python2.7/site-packages/apparmor/aa.py", line 2283, in save_profiles
    changed.pop(profile_name)
KeyError: '/home/cb/bin/lj_make_galerie.sh'





# and another evil testcase:
 
# python3 Tools/aa-audit   -d Testing/profiles /bin/ping
/bin/ping does not exist, please double-check the path.

# The error message is wrong - it should say "A profile for /bin/ping does not exist, ..." 
# (the file /bin/ping exists on my system)
# and of course I shouldn't even see the error message because...

# cat Testing/profiles/bin.ping 
[...]
#include <tunables/global>
/{usr/,}bin/ping {
[...]

# looks like you don't handle {x,y} in the profile name yet
#
# confirmed by:

# python3 Tools/aa-audit   -d Testing/profiles '/{usr/,}bin/ping'
Setting /{usr/,}bin/ping to audit mode.
None

# This is an interesting question about what is the correct behaviour because
# besides setting the profile for /bin/ping to audit mode (expected)
# it would also set the profile for /usr/bin/ping to audit mode (not expected)
# OTOH, the error message also is not expected and will confuse users.

# (you should also add some testcases in Testing/minitools_test.py for /bin/ping 
# and /usr/bin/ping after we decided about the wanted behaviour)



vim:ft=diff

More information about the AppArmor mailing list