[apparmor] [patch] Finally implement attachment handling

Christian Boltz apparmor at cboltz.de
Sun Mar 15 22:01:25 UTC 2015 

Hello,

Am Sonntag, 15. März 2015 schrieb Christian Boltz:
> and finally...
> 
> *drumroll*
> 
> This patch implements attachment handling - aa-logprof now works with
> profiles that have an attachment defined, instead of ignoring
> audit.log entries for those profiles.
> 
> Changes:
> - parse_profile_start_line(): remove workaround that merged the
>   attachment into the profile name
> - parse_profile_data(): store attachment when parsing a profile
> - update test_parse_profile_start_03,
> test_serialize_parse_profile_start_03 and some
> parse_profile_start_line() tests - they now expect correct attachment
> handling
> 
> Note: this patch is not fully covered by tests.
> I manually tested aa-logprof with some profiles with and without
> attachment, and it works for both.
> 
> As usual, I propose this patch for trunk and 2.9 (I do that for all 
> patches in this series, even if I forgot to mention it in some patches
> ;-)

Here's v2 - the only change is an update to test_set_flags_nochange_09()
which I missed before.


[ 22-handle-profiles-with-attachment.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-03-15 21:35:16.783039264 +0100
+++ utils/apparmor/aa.py        2015-03-15 19:54:49.636222101 +0100
@@ -2683,6 +2683,8 @@
         # Starting line of a profile
         if RE_PROFILE_START.search(line):
             (profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
+            if attachment:
+                profile_data[profile][hat]['attachment'] = attachment
             if pps_set_profile:
                 profile_data[profile][hat]['profile'] = True
             if pps_set_hat_external:
=== modified file utils/apparmor/regex.py
--- utils/apparmor/regex.py     2015-03-15 21:33:33.805124635 +0100
+++ utils/apparmor/regex.py     2015-03-15 21:20:04.319971984 +0100
@@ -100,10 +101,6 @@
         result['profile'] = result['namedprofile']
         result['profile_keyword'] = True
 
-    if result['attachment']:
-        # XXX keep the broken behaviour until proper handling for attachment is implemented
-        result['profile'] = "%s %s" % (result['profile'], result['attachment'])
-
     return result
 
 
=== modified file utils/test/test-aa.py
--- utils/test/test-aa.py       2015-03-15 21:35:16.785039145 +0100
+++ utils/test/test-aa.py       2015-03-15 21:13:26.107513804 +0100
@@ -151,7 +151,7 @@
     def test_set_flags_nochange_08(self):
         self._test_set_flags('profile /foo', 'flags=(complain)', 'complain')
     def test_set_flags_nochange_09(self):
-        self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy /foo') # XXX profile_name should be 'xy'
+        self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy')
     def test_set_flags_nochange_10(self):
         self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'complain', profile_name='/foo bar')
     #def test_set_flags_nochange_11(self):
@@ -277,7 +277,7 @@
 
     def test_parse_profile_start_03(self):
         result = self._parse('profile foo /foo {', None, None) # named profile
-        expected = ('foo /foo', 'foo /foo', '/foo', None, False, False, False) # XXX yes, that's what happens with the current code :-/
+        expected = ('foo', 'foo', '/foo', None, False, False, False)
         self.assertEqual(result, expected)
 
     def test_parse_profile_start_04(self):
@@ -361,7 +361,7 @@
 
     def test_serialize_parse_profile_start_03(self):
         result = self._parse('profile foo /foo {', None, None, False, False) # named profile
-        expected = ('foo /foo', 'foo /foo', '/foo', None, False, True) # XXX yes, that's what happens with the current code :-/
+        expected = ('foo', 'foo', '/foo', None, False, True)
         self.assertEqual(result, expected)
 
     def test_serialize_parse_profile_start_04(self):
=== modified file utils/test/test-regex_matches.py
--- utils/test/test-regex_matches.py    2015-03-15 21:33:33.807124517 +0100
+++ utils/test/test-regex_matches.py    2015-03-13 23:20:42.101128329 +0100
@@ -427,11 +427,10 @@
         ('   "/foo" {',                   { 'profile': '/foo',    'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,          'attachment': None,     'flags': None,       'comment': None }),
         ('   profile /foo {',             { 'profile': '/foo',    'profile_keyword': True,  'plainprofile': None,   'namedprofile': '/foo',        'attachment': None,     'flags': None,       'comment': None }),
         ('   profile "/foo" {',           { 'profile': '/foo',    'profile_keyword': True,  'plainprofile': None,   'namedprofile': '/foo',        'attachment': None,     'flags': None,       'comment': None }),
-        ('   profile foo /foo {',         { 'profile': 'foo /foo','profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',         'attachment': '/foo',   'flags': None,       'comment': None }), # XXX
-        ('   profile foo /foo (audit) {', { 'profile': 'foo /foo','profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',         'attachment': '/foo',   'flags': 'audit',    'comment': None }), # XXX
-        ('   profile "foo" "/foo" {',     { 'profile': 'foo /foo','profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',         'attachment': '/foo',   'flags': None,       'comment': None }), # XXX
-        ('   profile "foo bar" /foo {',   { 'profile': 'foo bar /foo', 'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo bar',     'attachment': '/foo',   'flags': None,       'comment': None }), # XXX
-        # XXX lines marked with XXX include the "broken" behaviour for 'profile' - they need to be changed when attachment is handled correctly
+        ('   profile foo /foo {',         { 'profile': 'foo',     'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',         'attachment': '/foo',   'flags': None,       'comment': None }),
+        ('   profile foo /foo (audit) {', { 'profile': 'foo',     'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',         'attachment': '/foo',   'flags': 'audit',    'comment': None }),
+        ('   profile "foo" "/foo" {',     { 'profile': 'foo',     'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo',         'attachment': '/foo',   'flags': None,       'comment': None }),
+        ('   profile "foo bar" /foo {',   { 'profile': 'foo bar', 'profile_keyword': True,  'plainprofile': None,   'namedprofile': 'foo bar',     'attachment': '/foo',   'flags': None,       'comment': None }),
         ('   /foo (complain) {',          { 'profile': '/foo',    'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,          'attachment': None,     'flags': 'complain', 'comment': None }),
         ('   /foo flags=(complain) {',    { 'profile': '/foo',    'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,          'attachment': None,     'flags': 'complain', 'comment': None }),
         ('   /foo (complain) { # x',      { 'profile': '/foo',    'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None,          'attachment': None,     'flags': 'complain', 'comment': '# x'}),




Regards,

Christian Boltz
-- 
Ich frage mich, ob es einen richtigen Browser als Active-X Applet
für den MSIE gibt?                                  [K. Köhntopp]

More information about the AppArmor mailing list