[apparmor] [PATCH 5/8] utils: Accept parser base and include options in aa-easyprof
Christian Boltz
apparmor at cboltz.de
Sun Feb 12 18:32:44 UTC 2017
Hello,
Am Mittwoch, 8. Februar 2017, 22:01:42 CET schrieb Tyler Hicks:
> https://launchpad.net/bugs/1521031
>
> aa-easyprof accepts a list of abstractions to include and, by default,
> execs apparmor_parser to verify the generated profile including any
> abstractions. However, aa-easyprof didn't provide the same
> flexibility as apparmor_parser when it came to where in the
> filesystem the abstraction files could exist.
>
> The parser supports --base (defaulting to /etc/apparmor.d) and
> --Include (defaulting to unset) options to specify the search paths
> for abstraction files. This patch adds the same options to
> aa-easyprof to aide in two different situations:
>
> 1) Some Ubuntu packages use aa-easyprof to generate AppArmor profiles
> at build time. Something that has been previously needed is a way for
> those packages to ship their own abstractions file(s) that are
> #included in the easyprof-generated profile. That's not been possible
> since the abstraction file(s) have not yet been installed during the
> package build.
>
> 2) The test-aa-easyprof.py script contains some tests that specify
> abstractions that should be #included. Without the ability to
> specify a different --base or --Include directory, the
> abstractions were required to be present in
> /etc/apparmor.d/abstractions/ or the tests would fail. This prevents
> the Python utils from being able to strictly test against in-tree
> code/profiles/etc.
>
> I don't like the names of the command line options --base and
> --Include. They're not particularly descriptive and the capital 'I'
> is not user friendly. However, I decided to preserve the name of the
> options from apparmor_parser.
> --- a/utils/apparmor/easyprof.py
> +++ b/utils/apparmor/easyprof.py
> @@ -506,9 +519,15 @@ class AppArmorEasyProfile:
>
> def gen_abstraction_rule(self, abstraction):
> '''Generate an abstraction rule'''
> - p = os.path.join(self.aa_topdir, "abstractions", abstraction)
> - if not os.path.exists(p):
> - raise AppArmorException("%s does not exist" % p)
> + base = os.path.join(self.parser_base, "abstractions",
> abstraction) + if not os.path.exists(base):
> + if not self.parser_include:
> + raise AppArmorException("%s does not exist" % base)
> +
> + include = os.path.join(self.parser_include,
> "abstractions", abstraction) + if not
> os.path.exists(include):
> + raise AppArmorException("Neither %s nor %s exist" %
> (base, include))
Nitpicking - if a format string includes several %s, it 's usually
better to use %{base_abstraction}s and %{include_abstraction}s.
In this case it doesn't matter too much - but it might still help
translators to understand what %s can be here.
> --- a/utils/test/test-aa-easyprof.py
> +++ b/utils/test/test-aa-easyprof.py
The changes look good. As a general note, you might want to switch to
the AATest class which will give you some things (like tempdir cleanup)
for free. But that's something for another patch ;-)
I'm not an expert on aa-easyprof, but since I didn't find an obvious
problem, I'll nevertheless add
Acked-by: Christian Boltz <apparmor at cboltz.de>
Regards,
Christian Boltz
--
Sometimes I feel that using osc (and OBS) is like driving an alien
space ship, full of nice features, but I cannot read the manual ;-)
[Filipe in opensuse-packaging]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170212/6f74ce96/attachment.pgp>
More information about the AppArmor
mailing list