[apparmor] apparmor utils --json for yast support
Christian Boltz
apparmor at cboltz.de
Wed Jul 6 21:18:34 UTC 2016
Hello,
Am Mittwoch, 6. Juli 2016, 16:03:02 CEST schrieb Goldwyn Rodrigues:
> As discussed earlier on yast mailing list, we require json support on
> the tools to make it more compatible with yast.
>
> If you have not started with it, I could work on it and send them to
> the mailing list and you for review. If you have, could you let me
> know how much you have worked on and if I could pitch in.
I'm happy to hear that you want to work on this :-)
This will speed up things a lot because I already have quite some things
on my TODO list ;-)
I have a proof-of-concept patch (see attachment) which I quickly hacked
at the openSUSE Conference [1]. The patch is done on top of latest bzr
trunk, but ui.py didn't really change recently, so it should also apply
on top of 2.10.1.
The patch hardcodes the output to JSON, this should obviously be
replaced by an aa-logprof and aa-genprof --json commandline option ;-)
(this option should set UI_mode in apparmor/ui.py).
The patch switches the aa-logprof and aa-genprof output to JSON. I only
did some quick testing, so I might have missed something.
It will give you something like
{
"info": "Reading log entries from /var/log/audit/audit.log."
}
{
"info": "Updating AppArmor profiles in /etc/apparmor.d."
}
Two info messages - they can probably be ignored in YaST.
(Please don't ignore warnings or errors ;-)
In text mode, that's simply displayed as
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
{
"explanation": null,
"menu_items": [
"(I)nherit",
"(C)hild",
"(P)rofile",
"(N)amed",
"(U)nconfined",
"(X) ix On",
"(D)eny",
"Abo(r)t",
"(F)inish"
],
"title": null,
"options": null,
"headers": [
"Profile",
"/usr/sbin/munin-node^/usr/lib/munin/plugins/mysql_innodb",
"Execute",
"/usr/bin/xargs",
"Severity",
5
]
}
In text mode, this gets displayed as
Profile: /usr/sbin/munin-node^/usr/lib/munin/plugins/mysql_innodb
Execute: /usr/bin/xargs
Severity: 5
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On /
(D)eny / Abo(r)t / (F)inish
{
"explanation": null,
"menu_items": [
"(A)llow",
"[(D)eny]",
"(I)gnore",
"Audi(t)",
"Abo(r)t",
"(F)inish"
],
"title": null,
"options": [
"#include <abstractions/apache2-common>",
"#include <abstractions/libvirt-qemu>",
"#include <abstractions/nameservice>",
"network inet stream,"
],
"headers": [
"Profile",
"/usr/sbin/munin-node^/usr/lib/munin/plugins/apache_accesses",
"Network Family",
"inet",
"Socket Type",
"stream"
]
}
This example has "options" set. They get displayed as
[ 1 -#include <abstractions/apache2-common> ]
2 - #include <abstractions/libvirt-qemu>
3 - #include <abstractions/nameservice>
4 -network inet stream,
YaST should display these options with radio buttons so that the user
can select one of them. You should add a "selected" item to the JSON to
allow a different preselection - that would be useful after using
'(N)ew' or '(G)lob'.)
Note that there can be lots of options in some cases [2], so please make
the option list scrollable ;-)
The JSON layout of "headers" might look strange, but that's what is
internally used in aa-logprof because a) it ensures that the correct
order is kept and b) avoids problems in the (unlikely) case that a
header label appears more than once.
You should probably also switch the input handling to expect JSON - the
typical answer to a prompt would be something like (in python syntax)
{'selected': '/etc/fstab r', 'button': '(A)llow'}
The hotkeys are guaranteed to be unique by the AppArmor code.
Everything in the JSON will already be translated, so YaST doesn't need
to do any translation handling - just make sure to set/keep $LANG ;-)
As I said, the attached patch is just a proof of concept, so feel free
to change the JSON structure as needed. If in doubt, ask - even if it's
just a quick patch, I tend to know what (and why) I'm doing ;-)
Currently the AppArmor tools officially support python 2 and 3, but we
plan to deprecate python 2 support in one of the next releases. If it
makes your life easier, it would be ok if --json only works with python3
(as long as you don't break non-JSON code for python 2).
Oh, BTW: The latest aa-status (in bzr trunk) already has a --json and a
--pretty-json option, so you don't need to re-invent the wheel on that
one.
I also hope/plan to use JSON for writing unit tests that can cover a
full aa-logprof run (expected questions, send pre-configured answer,
check if the resulting profile matches). You'll earn bonus points if you
implement a script that can a) "log" an aa-logprof run as array of JSON
input and output and b) run aa-logprof --json against this logged run
and check if everything works as expected ;-)
Feel free to send early patch versions for review or feedback.
I know the code quite good and can usually spot errors or bad ideas[tm]
quickly ;-)
Regards,
Christian Boltz
[1] I spent only 20 minutes on it to have something to surprise Josef
after his talk ;-) so the patch is far from finished.
[2] shouldn't happen with the default profile set, but it can happen if
someone like me has lots of autogenerated abstractions for apache
virtual hosts and all of them match an event ;-)
--
I am the "ILOVEGNU" signature virus. Just copy me to your signature.
This message was infected under the terms of the GNU General Public
License.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-utils-json-POC.diff
Type: text/x-patch
Size: 7611 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160706/d3d3ca95/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160706/d3d3ca95/attachment.pgp>
More information about the AppArmor
mailing list