[apparmor] [PATCH 7/8] utils: Add option to aa-easyprof to specify the apparmor_parser path
Seth Arnold
seth.arnold at canonical.com
Thu Feb 9 00:23:08 UTC 2017
On Wed, Feb 08, 2017 at 10:01:44PM +0000, Tyler Hicks wrote:
> When testing against a clean system without the apparmor_parser binary
> installed, the test-aa-easyprof.py script ends up skipping profile
> verification because it can't find the parser binary. This even causes a
> test failure due to the test_genpolicy_invalid_template_policy test.
>
> Adding a --parser option to aa-easyprof is the first step in addressing
> this problem.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Cc: Christian Boltz <apparmor at cboltz.de>
> Cc: Jamie Strandboge <jamie at ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> utils/aa-easyprof.pod | 6 ++++++
> utils/apparmor/easyprof.py | 25 +++++++++++++++++--------
> 2 files changed, 23 insertions(+), 8 deletions(-)
>
> diff --git a/utils/aa-easyprof.pod b/utils/aa-easyprof.pod
> index 1a08408..88288b7 100644
> --- a/utils/aa-easyprof.pod
> +++ b/utils/aa-easyprof.pod
> @@ -57,6 +57,12 @@ for supported policy groups. The available policy groups are in
> AppArmor rules or policies. They are similar to AppArmor abstractions, but
> usually encompass more policy rules.
>
> +=item --parser PATH
> +
> +Specify the PATH of the apparmor_parser binary to use when verifying
> +policy. If this option is not specified, aa-easyprof will attempt to
> +locate the path starting with /sbin/apparmor_parser.
> +
> =item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
>
> Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is
> diff --git a/utils/apparmor/easyprof.py b/utils/apparmor/easyprof.py
> index 01c7fd6..c6e6932 100644
> --- a/utils/apparmor/easyprof.py
> +++ b/utils/apparmor/easyprof.py
> @@ -259,14 +259,11 @@ def open_file_read(path):
> return orig
>
>
> -def verify_policy(policy, base=None, include=None):
> +def verify_policy(policy, exe, base=None, include=None):
> '''Verify policy compiles'''
> - exe = "/sbin/apparmor_parser"
> - if not os.path.exists(exe):
> - rc, exe = cmd(['which', 'apparmor_parser'])
> - if rc != 0:
> - warn("Could not find apparmor_parser. Skipping verify")
> - return True
> + if not exe:
> + warn("Could not find apparmor_parser. Skipping verify")
> + return True
>
> fn = ""
> # if policy starts with '/' and is one line, assume it is a path
> @@ -309,6 +306,14 @@ class AppArmorEasyProfile:
> if os.path.isfile(self.conffile):
> self._get_defaults()
>
> + self.parser_path = '/sbin/apparmor_parser'
> + if opt.parser_path:
> + self.parser_path = opt.parser_path
> + elif not os.path.exists(self.parser_path):
> + rc, self.parser_path = cmd(['which', 'apparmor_parser'])
> + if rc != 0:
> + self.parser_path = None
> +
> self.parser_base = "/etc/apparmor.d"
> if opt.parser_base:
> self.parser_base = opt.parser_base
> @@ -680,7 +685,7 @@ class AppArmorEasyProfile:
>
> if no_verify:
> debug("Skipping policy verification")
> - elif not verify_policy(policy, self.parser_base, self.parser_include):
> + elif not verify_policy(policy, self.parser_path, self.parser_base, self.parser_include):
> msg("\n" + policy)
> raise AppArmorException("Invalid policy")
>
> @@ -823,6 +828,10 @@ def check_for_manifest_arg_append(option, opt_str, value, parser):
>
> def add_parser_policy_args(parser):
> '''Add parser arguments'''
> + parser.add_option("--parser",
> + dest="parser_path",
> + help="The path to the profile parser used for verification",
> + metavar="PATH")
> parser.add_option("-a", "--abstractions",
> action="callback",
> callback=check_for_manifest_arg,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170208/b13850d3/attachment.pgp>
More information about the AppArmor
mailing list