[apparmor] apparmor utils --json for yast support

Christian Boltz apparmor at cboltz.de
Wed Jul 6 21:18:34 UTC 2016


Am Mittwoch, 6. Juli 2016, 16:03:02 CEST schrieb Goldwyn Rodrigues:
> As discussed earlier on yast mailing list, we require json support on
> the tools to make it more compatible with yast.
> If you have not started with it, I could work on it and send them to
> the mailing list and you for review. If you have, could you let me
> know how much you have worked on and if I could pitch in.

I'm happy to hear that you want to work on this :-)
This will speed up things a lot because I already have quite some things 
on my TODO list ;-)

I have a proof-of-concept patch (see attachment) which I quickly hacked 
at the openSUSE Conference [1]. The patch is done on top of latest bzr 
trunk, but ui.py didn't really change recently, so it should also apply 
on top of 2.10.1.

The patch hardcodes the output to JSON, this should obviously be 
replaced by an aa-logprof and aa-genprof --json commandline option ;-)  
(this option should set UI_mode in apparmor/ui.py).

The patch switches the aa-logprof and aa-genprof output to JSON. I only 
did some quick testing, so I might have missed something.

It will give you something like

    "info": "Reading log entries from /var/log/audit/audit.log."
    "info": "Updating AppArmor profiles in /etc/apparmor.d."

Two info messages - they can probably be ignored in YaST.
(Please don't ignore warnings or errors ;-)

In text mode, that's simply displayed as

Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.

    "explanation": null,
    "menu_items": [
        "(X) ix On",
    "title": null,
    "options": null,
    "headers": [

In text mode, this gets displayed as

Profile:  /usr/sbin/munin-node^/usr/lib/munin/plugins/mysql_innodb
Execute:  /usr/bin/xargs
Severity: 5

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / 
(D)eny / Abo(r)t / (F)inish

    "explanation": null,
    "menu_items": [
    "title": null,
    "options": [
        "#include <abstractions/apache2-common>",
        "#include <abstractions/libvirt-qemu>",
        "#include <abstractions/nameservice>",
        "network inet stream,"
    "headers": [
        "Network Family",
        "Socket Type",

This example has "options" set. They get displayed as

[ 1 -#include <abstractions/apache2-common> ]
  2 - #include <abstractions/libvirt-qemu>
  3 - #include <abstractions/nameservice>
  4 -network inet stream,

YaST should display these options with radio buttons so that the user 
can select one of them.  You should add a "selected" item to the JSON to 
allow a different preselection - that would be useful after using 
'(N)ew' or '(G)lob'.)

Note that there can be lots of options in some cases [2], so please make 
the option list scrollable ;-)

The JSON layout of "headers" might look strange, but that's what is 
internally used in aa-logprof because a) it ensures that the correct 
order is kept and b) avoids problems in the (unlikely) case that a 
header label appears more than once.

You should probably also switch the input handling to expect JSON - the 
typical answer to a prompt would be something like (in python syntax)
    {'selected': '/etc/fstab r', 'button': '(A)llow'}

The hotkeys are guaranteed to be unique by the AppArmor code.

Everything in the JSON will already be translated, so YaST doesn't need 
to do any translation handling - just make sure to set/keep $LANG ;-)

As I said, the attached patch is just a proof of concept, so feel free 
to change the JSON structure as needed. If in doubt, ask - even if it's 
just a quick patch, I tend to know what (and why) I'm doing ;-)

Currently the AppArmor tools officially support python 2 and 3, but we 
plan to deprecate python 2 support in one of the next releases. If it 
makes your life easier, it would be ok if --json only works with python3 
(as long as you don't break non-JSON code for python 2).

Oh, BTW: The latest aa-status (in bzr trunk) already has a --json and a 
--pretty-json option, so you don't need to re-invent the wheel on that 

I also hope/plan to use JSON for writing unit tests that can cover a 
full aa-logprof run (expected questions, send pre-configured answer, 
check if the resulting profile matches). You'll earn bonus points if you 
implement a script that can a) "log" an aa-logprof run as array of JSON 
input and output and b) run aa-logprof --json against this logged run 
and check if everything works as expected ;-)

Feel free to send early patch versions for review or feedback. 
I know the code quite good and can usually spot errors or bad ideas[tm] 
quickly ;-)


Christian Boltz

[1] I spent only 20 minutes on it to have something to surprise Josef 
    after his talk ;-) so the patch is far from finished.

[2] shouldn't happen with the default profile set, but it can happen if
    someone like me has lots of autogenerated abstractions for apache
    virtual hosts and all of them match an event ;-)

I am the "ILOVEGNU" signature virus. Just copy me to your signature.
This message was infected under the terms of the GNU General Public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apparmor-utils-json-POC.diff
Type: text/x-patch
Size: 7611 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160706/d3d3ca95/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160706/d3d3ca95/attachment.pgp>

More information about the AppArmor mailing list