[apparmor] apparmor utils --json for yast support

Goldwyn Rodrigues rgoldwyn at suse.de
Fri Jul 8 02:33:17 UTC 2016 


On 07/06/2016 04:18 PM, Christian Boltz wrote:
> Hello,
> 
> Am Mittwoch, 6. Juli 2016, 16:03:02 CEST schrieb Goldwyn Rodrigues:
>> As discussed earlier on yast mailing list, we require json support on
>> the tools to make it more compatible with yast.
>>
>> If you have not started with it, I could work on it and send them to
>> the mailing list and you for review. If you have, could you let me
>> know how much you have worked on and if I could pitch in.
> 
> I'm happy to hear that you want to work on this :-)
> This will speed up things a lot because I already have quite some things 
> on my TODO list ;-)
> 
> I have a proof-of-concept patch (see attachment) which I quickly hacked 
> at the openSUSE Conference [1]. The patch is done on top of latest bzr 
> trunk, but ui.py didn't really change recently, so it should also apply 
> on top of 2.10.1.
> 
> The patch hardcodes the output to JSON, this should obviously be 
> replaced by an aa-logprof and aa-genprof --json commandline option ;-)  
> (this option should set UI_mode in apparmor/ui.py).
> 
> The patch switches the aa-logprof and aa-genprof output to JSON. I only 
> did some quick testing, so I might have missed something.
> 
> 
> It will give you something like
> 
> {
>     "info": "Reading log entries from /var/log/audit/audit.log."
> }
> {
>     "info": "Updating AppArmor profiles in /etc/apparmor.d."
> }
> 
> Two info messages - they can probably be ignored in YaST.
> (Please don't ignore warnings or errors ;-)
> 
> In text mode, that's simply displayed as
> 
> Reading log entries from /var/log/audit/audit.log.
> Updating AppArmor profiles in /etc/apparmor.d.
> 
> 
> 
> {
>     "explanation": null,
>     "menu_items": [
>         "(I)nherit",
>         "(C)hild",
>         "(P)rofile",
>         "(N)amed",
>         "(U)nconfined",
>         "(X) ix On",
>         "(D)eny",
>         "Abo(r)t",
>         "(F)inish"
>     ],
>     "title": null,
>     "options": null,
>     "headers": [
>         "Profile",
>         "/usr/sbin/munin-node^/usr/lib/munin/plugins/mysql_innodb",
>         "Execute",
>         "/usr/bin/xargs",
>         "Severity",
>         5
>     ]
> }
> 
> In text mode, this gets displayed as
> 
> Profile:  /usr/sbin/munin-node^/usr/lib/munin/plugins/mysql_innodb
> Execute:  /usr/bin/xargs
> Severity: 5
> 
> (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / 
> (D)eny / Abo(r)t / (F)inish
> 
> 
> 
> {
>     "explanation": null,
>     "menu_items": [
>         "(A)llow",
>         "[(D)eny]",
>         "(I)gnore",
>         "Audi(t)",
>         "Abo(r)t",
>         "(F)inish"
>     ],
>     "title": null,
>     "options": [
>         "#include <abstractions/apache2-common>",
>         "#include <abstractions/libvirt-qemu>",
>         "#include <abstractions/nameservice>",
>         "network inet stream,"
>     ],
>     "headers": [
>         "Profile",
>         "/usr/sbin/munin-node^/usr/lib/munin/plugins/apache_accesses",
>         "Network Family",
>         "inet",
>         "Socket Type",
>         "stream"
>     ]
> }
> 
> This example has "options" set. They get displayed as
> 
> [ 1 -#include <abstractions/apache2-common> ]
>   2 - #include <abstractions/libvirt-qemu>
>   3 - #include <abstractions/nameservice>
>   4 -network inet stream,
> 
> YaST should display these options with radio buttons so that the user 
> can select one of them.  You should add a "selected" item to the JSON to 
> allow a different preselection - that would be useful after using 
> '(N)ew' or '(G)lob'.)
> 
> Note that there can be lots of options in some cases [2], so please make 
> the option list scrollable ;-)
> 
> 
> The JSON layout of "headers" might look strange, but that's what is 
> internally used in aa-logprof because a) it ensures that the correct 
> order is kept and b) avoids problems in the (unlikely) case that a 
> header label appears more than once.
> 
> 
> 
> You should probably also switch the input handling to expect JSON - the 
> typical answer to a prompt would be something like (in python syntax)
>     {'selected': '/etc/fstab r', 'button': '(A)llow'}
> 
> The hotkeys are guaranteed to be unique by the AppArmor code.
> 
> Everything in the JSON will already be translated, so YaST doesn't need 
> to do any translation handling - just make sure to set/keep $LANG ;-)
> 
> 
> As I said, the attached patch is just a proof of concept, so feel free 
> to change the JSON structure as needed. If in doubt, ask - even if it's 
> just a quick patch, I tend to know what (and why) I'm doing ;-)
> 
> Currently the AppArmor tools officially support python 2 and 3, but we 
> plan to deprecate python 2 support in one of the next releases. If it 
> makes your life easier, it would be ok if --json only works with python3 
> (as long as you don't break non-JSON code for python 2).
> 
> Oh, BTW: The latest aa-status (in bzr trunk) already has a --json and a 
> --pretty-json option, so you don't need to re-invent the wheel on that 
> one.
> 
> 
> I also hope/plan to use JSON for writing unit tests that can cover a 
> full aa-logprof run (expected questions, send pre-configured answer, 
> check if the resulting profile matches). You'll earn bonus points if you 
> implement a script that can a) "log" an aa-logprof run as array of JSON 
> input and output and b) run aa-logprof --json against this logged run 
> and check if everything works as expected ;-)
> 
> Feel free to send early patch versions for review or feedback. 
> I know the code quite good and can usually spot errors or bad ideas[tm] 
> quickly ;-)
> 
> 

Thanks, Thats a lot of information. I will work on this and let you know
as the work progresses.


-- 
Goldwyn

More information about the AppArmor mailing list