[apparmor] [patch] [25/38] Set audit mode for all options

[Christian Boltz]

Hello,

this patch adds set_options_audit_mode() to switch the audit mode in all 
options offered by aa-logprof and aa-mergeprof, not only the "original" 
rule (in aa-logprof, this means the non-globbed rule_obj).

As usual, add some tests to ensure the function works as expected.


[ 25-set-audit-mode-for-all-options.diff ]

=== modified file ./utils/aa-mergeprof
--- utils/aa-mergeprof	2016-05-11 00:20:02.142578188 +0200
+++ utils/aa-mergeprof	2016-05-13 22:32:16.020604715 +0200
@@ -26,7 +26,7 @@ import apparmor.ui as aaui
 
 from apparmor.aa import (add_to_options, available_buttons, combine_name, delete_duplicates,
                          get_profile_filename, is_known_rule, match_includes,
-                         propose_file_rules, selection_to_rule_obj)
+                         set_options_audit_mode, propose_file_rules, selection_to_rule_obj)
 from apparmor.aare import AARE
 from apparmor.common import AppArmorException
 from apparmor.regex import re_match_include
@@ -689,8 +689,7 @@
                                     rule_obj.audit = False
                                     rule_obj.raw_rule = None
 
-                                options[len(options) - 1] = rule_obj.get_clean()
-                                q.options = options
+                                options = set_options_audit_mode(rule_obj, options)
 
                             elif ans == 'CMD_ALLOW':
                                 done = True
=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py	2016-05-13 21:59:57.919133776 +0200
+++ utils/apparmor/aa.py	2016-05-13 22:19:49.076773309 +0200
@@ -1618,8 +1618,7 @@
                                     rule_obj.audit = False
                                     rule_obj.raw_rule = None
 
-                                options[len(options) - 1] = rule_obj.get_clean()
-                                q.options = options
+                                options = set_options_audit_mode(rule_obj, options)
 
                             elif ans == 'CMD_ALLOW':
                                 done = True
@@ -1698,6 +1697,24 @@
     rule_type = type(rule_obj)
     return rule_type.parse(selection)
 
+def set_options_audit_mode(rule_obj, options):
+    '''change audit state in options (proposed rules) to audit state in rule_obj.
+       #include options will be kept unchanged
+    '''
+    new_options = []
+
+    for rule in options:
+        if re_match_include(rule):
+            new_options.append(rule)
+        else:
+            parsed_rule = selection_to_rule_obj(rule_obj, rule)
+            parsed_rule.audit = rule_obj.audit
+            parsed_rule.raw_rule = None
+            new_options.append(parsed_rule.get_raw())
+
+    return new_options
+
+
 def ask_the_questions_OLD_FILE_CODE(): # XXX unused
                 global seen_events
                 # Process all the path entries.
=== modified file ./utils/test/test-aa.py
--- utils/test/test-aa.py	2016-05-11 00:20:02.142578188 +0200
+++ utils/test/test-aa.py	2016-05-13 22:29:59.213365666 +0200
@@ -18,7 +18,7 @@
 
 import apparmor.aa  # needed to set global vars in some tests
 from apparmor.aa import (check_for_apparmor, get_output, get_reqs, get_interpreter_and_abstraction, create_new_profile,
-     get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
+     get_profile_flags, set_profile_flags, set_options_audit_mode, is_skippable_file, is_skippable_dir,
      parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header,
      var_transform, serialize_parse_profile_start, get_file_perms, propose_file_rules)
 from apparmor.aare import AARE
@@ -386,6 +386,19 @@
         with self.assertRaises(IOError):
             set_profile_flags('%s/file-not-found' % self.tmpdir, '/foo', 'audit')
 
+class AaTest_set_options_audit_mode(AATest):
+    tests = [
+        ((FileRule.parse('audit /foo/bar r,'),      ['/foo/bar r,', '/foo/* r,', '/** r,']                      ), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']),
+        ((FileRule.parse('audit /foo/bar r,'),      ['/foo/bar r,', 'audit /foo/* r,', 'audit /** r,']          ), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']),
+        ((FileRule.parse('/foo/bar r,'),            ['/foo/bar r,', '/foo/* r,', '/** r,']                      ), ['/foo/bar r,', '/foo/* r,', '/** r,']),
+        ((FileRule.parse('/foo/bar r,'),            ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']    ), ['/foo/bar r,', '/foo/* r,', '/** r,']),
+        ((FileRule.parse('audit /foo/bar r,'),      ['/foo/bar r,', '/foo/* r,', '#include <abstractions/base>']), ['audit /foo/bar r,', 'audit /foo/* r,', '#include <abstractions/base>']),
+    ]
+
+    def _run_test(self, params, expected):
+        rule_obj, options = params
+        new_options = set_options_audit_mode(rule_obj, options)
+        self.assertEqual(new_options, expected)
 
 class AaTest_is_skippable_file(AATest):
     def test_not_skippable_01(self):



Regards,

Christian Boltz
-- 
Ich habe sogar schon den passenden Werbespruch für suse-announce:
*Nicht nur sauber sondern rein: Mails gewaschen und gebügelt mit t-prot!
 Noch nie war Mega-Perl so saugstark!!!*    [Jan Trippler in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160812/456271e6/attachment-0001.pgp>