[apparmor] [patch] aa-genprof: ask about profiles in extra dir (again)

Christian Boltz apparmor at cboltz.de
Wed Jun 1 00:07:10 UTC 2016 

Hello,

thanks to reading the wrong directory in read_inactive_profiles()
(profile_dir instead of extra_profile_dir), aa-genprof never asked about
using a profile from the extra_profile_dir.

Sounds like an easy fix, right? ;-)

After fixing this (last chunk), several other errors popped up, one
after the other:
- get_profile() missed a required parameter in a serialize_profile() call
- when saving the profile, it was written to extra_profile_dir, not to
  profile_dir where it (as a now-active profile) should be. This is
  fixed by removing the filename from existing_profiles{} so that it can
  pick up the default name.
- CMD_FINISHED (when asking if the extra profile should be used or a new
  one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising
  for the user. Remove it to avoid confusion.
- displaying the extra profile was only implemented in YaST mode
- get_pager() returned None, not an actual pager. Since we have 'less'
  hardcoded at several places, also return it in get_pager()

Finally, also remove CMD_FINISHED from the get_profile() test in
test-translations.py.


I propose this patch for 2.9, 2.10 and trunk
(test-translations.py is only in trunk, therefore this part of the patch
is obviously trunk-only.)


[ 01-genprof-ask-for-extra-dir.diff ]

=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2016-05-30 23:16:05.713448348 +0200
+++ utils/apparmor/aa.py        2016-06-01 01:25:31.242505830 +0200
@@ -578,8 +578,11 @@
         inactive_profile[prof_name][prof_name].pop('filename')
         profile_hash[uname]['username'] = uname
         profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL'
-        profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name)
+        profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None)
         profile_hash[uname]['profile_data'] = inactive_profile
+
+        existing_profiles.pop(prof_name)  # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir
+
     # If no profiles in repo and no inactive profiles
     if not profile_hash.keys():
         return None
@@ -604,18 +607,13 @@
 
     q = aaui.PromptQuestion()
     q.headers = ['Profile', prof_name]
-    q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE',
-                      'CMD_ABORT', 'CMD_FINISHED']
+    q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT']
     q.default = "CMD_VIEW_PROFILE"
     q.options = options
     q.selected = 0
 
     ans = ''
     while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans:
-        if ans == 'CMD_FINISHED':
-            save_profiles()
-            return
-
         ans, arg = q.promptUser()
         p = profile_hash[options[arg]]
         q.selected = options.index(options[arg])
@@ -627,12 +625,13 @@
                                 'profile_type': p['profile_type']
                                 })
                 ypath, yarg = GetDataFromYast()
-            #else:
-            #    pager = get_pager()
-            #    proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
+            else:
+                pager = get_pager()
+                proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
             #    proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
             #                     (options[arg], p['profile']))
-            #    proc.kill()
+                proc.communicate(p['profile'].encode())
+                proc.kill()
         elif ans == 'CMD_USE_PROFILE':
             if p['profile_type'] == 'INACTIVE_LOCAL':
                 profile_data = p['profile_data']
@@ -683,6 +682,7 @@
     if not profile_data:
         profile_data = create_new_profile(pname)
     file = get_profile_filename(pname)
+    profile_data[pname][pname]['filename'] = None  # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename
     attach_profile_data(aa, profile_data)
     attach_profile_data(original_aa, profile_data)
     if os.path.isfile(profile_dir + '/tunables/global'):
@@ -1960,7 +1970,7 @@
                 reload_base(profile_name)
 
 def get_pager():
-    pass
+    return 'less'
 
 def generate_diff(oldprofile, newprofile):
     oldtemp = tempfile.NamedTemporaryFile('w')
@@ -2204,7 +2214,7 @@
     except:
         fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir)
 
-    for file in os.listdir(profile_dir):
+    for file in os.listdir(extra_profile_dir):
         if os.path.isfile(extra_profile_dir + '/' + file):
             if is_skippable_file(file):
                 continue

=== modified file 'utils/test/test-translations.py'
--- utils/test/test-translations.py     2016-05-14 11:25:15 +0000
+++ utils/test/test-translations.py     2016-05-31 23:58:23 +0000
@@ -24,7 +24,7 @@
         (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_OFF
         (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_ABORT', 'CMD_FINISHED'], True),  # aa.py available_buttons() with CMD_AUDIT_NEW
         (['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT'],                              True),  # aa.py save_profiles()
-        (['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT', 'CMD_FINISHED'],                                        True),  # aa.py get_profile()
+        (['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'],                                                        True),  # aa.py get_profile()
         (['CMD_UPLOAD_CHANGES', 'CMD_VIEW_CHANGES', 'CMD_ASK_LATER', 'CMD_ASK_NEVER', 'CMD_ABORT'],                                         True),  # aa.py console_select_and_upload_profiles()
         (['CMD_ix', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_EXEC_IX_OFF', 'CMD_ux', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'],                 True),  # aa.py build_x_functions() with exec_toggle
         (['CMD_ix', 'CMD_cx', 'CMD_px', 'CMD_nx', 'CMD_ux', 'CMD_EXEC_IX_ON', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'],                     True),  # aa.py build_x_functions() without exec_toggle




Regards,

Christian Boltz
-- 
> > Vielen Dank, daß du dir die Zeit nimmst, dran rumzutesten.
> Wenn Du es nicht gemerkt hast: Ich empfehle Dir jetzt die Features,
> die ich gern hätte. Geht schneller, als es selbst zu bauen *g*
Verdammt. Ich wurde reingelegt! ;-))
[Ratti zu > $me beim Testen seiner Fontlinge]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160601/810eca3a/attachment-0001.pgp>

More information about the AppArmor mailing list