[apparmor] [PATCH 5/8] utils: Accept parser base and include options in aa-easyprof

Christian Boltz apparmor at cboltz.de
Sun Feb 12 18:32:44 UTC 2017 

Hello,

Am Mittwoch, 8. Februar 2017, 22:01:42 CET schrieb Tyler Hicks:
> https://launchpad.net/bugs/1521031
> 
> aa-easyprof accepts a list of abstractions to include and, by default,
> execs apparmor_parser to verify the generated profile including any
> abstractions. However, aa-easyprof didn't provide the same
> flexibility as apparmor_parser when it came to where in the
> filesystem the abstraction files could exist.
> 
> The parser supports --base (defaulting to /etc/apparmor.d) and
> --Include (defaulting to unset) options to specify the search paths
> for abstraction files. This patch adds the same options to
> aa-easyprof to aide in two different situations:
> 
>  1) Some Ubuntu packages use aa-easyprof to generate AppArmor profiles
> at build time. Something that has been previously needed is a way for
> those packages to ship their own abstractions file(s) that are
> #included in the easyprof-generated profile. That's not been possible
> since the abstraction file(s) have not yet been installed during the
> package build.
> 
>  2) The test-aa-easyprof.py script contains some tests that specify
>     abstractions that should be #included. Without the ability to
>     specify a different --base or --Include directory, the
> abstractions were required to be present in
> /etc/apparmor.d/abstractions/ or the tests would fail. This prevents
> the Python utils from being able to strictly test against in-tree
> code/profiles/etc.
> 
> I don't like the names of the command line options --base and
> --Include. They're not particularly descriptive and the capital 'I'
> is not user friendly. However, I decided to preserve the name of the
> options from apparmor_parser.


> --- a/utils/apparmor/easyprof.py
> +++ b/utils/apparmor/easyprof.py

> @@ -506,9 +519,15 @@ class AppArmorEasyProfile:
> 
>      def gen_abstraction_rule(self, abstraction):
>          '''Generate an abstraction rule'''
> -        p = os.path.join(self.aa_topdir, "abstractions", abstraction)
> -        if not os.path.exists(p):
> -            raise AppArmorException("%s does not exist" % p)
> +        base = os.path.join(self.parser_base, "abstractions",
> abstraction) +        if not os.path.exists(base):
> +            if not self.parser_include:
> +                raise AppArmorException("%s does not exist" % base)
> +
> +            include = os.path.join(self.parser_include,
> "abstractions", abstraction) +            if not
> os.path.exists(include):
> +                raise AppArmorException("Neither %s nor %s exist" %
> (base, include)) 

Nitpicking - if a format string includes several %s, it 's usually 
better to use %{base_abstraction}s and %{include_abstraction}s.
In this case it doesn't matter too much - but it might still help 
translators to understand what %s can be here.

> --- a/utils/test/test-aa-easyprof.py
> +++ b/utils/test/test-aa-easyprof.py

The changes look good. As a general note, you might want to switch to 
the AATest class which will give you some things (like tempdir cleanup) 
for free. But that's something for another patch ;-)

I'm not an expert on aa-easyprof, but since I didn't find an obvious 
problem, I'll nevertheless add
    Acked-by: Christian Boltz <apparmor at cboltz.de>


Regards,

Christian Boltz
-- 
Sometimes I feel that using osc (and OBS) is like driving an alien
space ship, full of nice features, but I cannot read the manual ;-)
[Filipe in opensuse-packaging]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170212/6f74ce96/attachment.pgp>

More information about the AppArmor mailing list