[apparmor] aa-sha1 utility

Sun Sep 13 11:11:41 UTC 2015

Hello,

Am Donnerstag, 10. September 2015 schrieb John Johansen:
> It seems this has been asked for a lot lately, this is a slightly
> cleaned up version of the shell script hack I have been using. We
> certainly need a real tool for this but until then

Well, if we add some quoting and some error checks (especially in 
mktemp calls), this could be the tool we want ;-)

Here's a patch that
- adds lots of quoting
- adds || exit 1 after the mktemp calls
- adds --help
- documents the function parameters
- replaces ls | awk with stat to get the file size

With that patch applied (and maybe the word "hack" replaced in the 
comments ;-)), I'd accept aa-sha1 in bzr as official tool.

--- aa-sha1_jj     2015-09-13 11:43:55.871549592 +0200
+++ aa-sha1_cb       2015-09-13 13:03:15.821206477 +0200
@@ -44,50 +44,69 @@
 # > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince-thumbnailer.60/profiles/sanitized_helper.61/sha1
 # c7fa4e57e2ffd051c97d87c43fd3dfc8a5c7b3b7
 
+usage() {
+    echo "Usage: $0 AppArmor_cache_file [ AppArmor_cache_file ... ]"
+    echo
+    echo "compute sha1 of AppArmor profile cache files (for comparison with"
+    echo "/sys/kernel/security/apparmor/policy/profiles/<profile>/sha1 or"
+    echo "/sys/kernel/security/apparmor/policy/profiles/<profile>/profiles/<child profile>/sha1)"
+
+    exit 0
+}
+
 dosha1() {
-    local version=$1
-    local fsize=$2
-    local fname=$3
-    local start=$4
-    shift 4
+    local version="$1"  # tempfile ($version)
+    local fsize="$2"    # size (int)
+    local fname="$3"    # original cache file
+    local start="$4"    # start offset (int)
+    shift 4             # $5.. contains offsets (int)
 
-    f=`mktemp`
+    f=`mktemp || exit 1`
     while [ $# -gt 0 ] ; do
-        cp $version $f
+        cp "$version" "$f"
         local size=$(($1 - $start))
-        tail -c "+$(($start + 1))" $fname | head -c $size | tail -c 16 | head -c 11 | grep -Uaq -P '\x04\x08\x00version\x00'
+        tail -c "+$(($start + 1))" "$fname" | head -c $size | tail -c 16 | head -c 11 | grep -Uaq -P '\x04\x08\x00version\x00'
         res=$?
         if [ $res -eq 0 ] ; then
             size=$(($size - 16))
         fi
-        tail -c "+$(($start + 1))" $fname | head -c $size >> $f
-        IFS= read -r -d '' name X  < <(tail -c +20 $f)
-        local sum=`sha1sum $f | awk '{print $1}'`
+        tail -c "+$(($start + 1))" "$fname" | head -c $size >> "$f"
+        IFS= read -r -d '' name X  < <(tail -c +20 "$f")
+        local sum=`sha1sum "$f" | awk '{print $1}'`
         echo -e "  $sum: $name"
         start=$1
         shift 1
     done
-    rm $f
+    rm "$f"
 }
 
 process_file() {
+    # $1: tempfile ($version)
+    # $2: size
+    # $3: original cache file
+
     offsets=`grep -obUa -P '\x04\x08\x00profile\x00\x07' "$3" | awk --field-separator ":" '{print $1}'`
 
     offsets="$offsets $2"
     echo "FILE: $3"
 
-    dosha1 $1 $2 $3 $offsets
+    dosha1 "$1" "$2" "$3" $offsets
 }
 
-version=`mktemp`
+
+test "$1" == "--help" && usage
+test "$1" == "" && usage
+
+version=`mktemp || exit 1`
 for arg in $@ ; do
-    head -c 16 $arg | tail -c 4 >$version
-    size=`ls -l $arg | awk '{print $5 }'`
+    test -r "$arg" || { echo "Error: File $arg doesn't exist or isn't readable." >&2 ; exit 1; }
+    head -c 16 "$arg" | tail -c 4 > "$version"
+    size=`stat --format '%s' "$arg"`
     if [ $? -ne 0 ] ; then
-       echo "Error processing file \'$@\'"
-       exit
+       echo "Error processing file '$arg'"
+       exit 1
     fi
-    process_file $version $size $arg
+    process_file "$version" "$size" "$arg"
 done
-rm $version
+rm "$version"
 


Regards,

Christian Boltz
-- 
Ich selbst benutze kweather nicht (ich guck einfach aus dem Fenster).
[Hartmut Meyer in suse-linux]


