1. 06 Dec, 2018 1 commit
  2. 18 Nov, 2018 1 commit
    • Christian Boltz's avatar
      Fix viewing a local inactive profile in aa-genprof · 8b4e76a7
      Christian Boltz authored
      aa-genprof checks if one of the profiles in the extra profile dir
      matches the binary, and proposes to use that profile as a starting
      Since 4d722f18 the "(V)iew profile"
      option to display the proposed profile was broken.
      The easiest fix is to remember the filename in the extras directory, and
      display the file from there.
      Sidenote: when choosing to use the extra profile, it gets written to
      disk without any problems, so this bug really only affected "(V)iew
      profile" to preview the proposed extra profile.
  3. 13 Nov, 2018 1 commit
    • Christian Boltz's avatar
      parse_profile_data(): Ensure last line in a profile is valid · 4efff35b
      Christian Boltz authored
      'lastline' gets merged into 'line' (and reset to None) when reading the
      next line. If 'lastline' isn't empty after reading the whole profile,
      this means there's something unparseable at the end of the profile,
      therefore parse_profile_data() should error out.
      Also remove some simple_tests testcases from the 'exception_not_raised'
      list - they only didn't raise the exception because the invalid rule was
      the last line in the affected profile.
      Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
      discovering this bug while adding some xattr testcases that surprisingly
      didn't fail in the tools.
  4. 09 Nov, 2018 1 commit
  5. 22 Oct, 2018 6 commits
    • Christian Boltz's avatar
      Replace existing_profiles & fix minitools for named profiles · 4d722f18
      Christian Boltz authored
      Technical stuff first:
      Replace existing_profiles (a dict with the filenames for both active and
      inactive profiles) with active_profiles and extra_profiles which are
      ProfileList()s and store the active profiles and those in the extra
      directory separately. Thanks to ProfileList, now also the relation
      between attachments and filenames is easily available.
      Also replace all usage of existing_profiles with active_profiles and
      extra_profiles, and adjust it to the ProfileList syntax everywhere.
      With this change, several bugs in aa-complain and the other minitools
      get fixed:
      - aa-complain etc. never found profiles that have a profile name
        (the attachment wasn't checked)
      - even if the profile name was given as parameter to aa-complain, it
        first did "which $parameter" so it never matched on named profiles
      - profile names with alternations (without attachment specification)
        also never matched because the old code didn't use AARE.
      References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
      (search for "As usual" ;-)
      Just for completeness - the matching still doesn't honor/expand
      variables in the profile name.
    • Christian Boltz's avatar
      add ProfileList class to store list of profiles · 789c4658
      Christian Boltz authored
      ProfileList is meant to store the list of profiles (both name and
      attachment) and in which files they live.
      Also add unittests to make sure everything works as expected.
    • Christian Boltz's avatar
      Move updating existing_profiles out of parse_profile_data() · 8809218a
      Christian Boltz authored
      parse_profile_data() returns the parsed profiles, but writes to
      existing_profiles directly.
      read_profiles() calls parse_profile_data() and already handles adding
      the parsed profiles to aa, original_aa or extras, which means updating
      existing_profiles there is a much better place.
      This commit also includes a hidden change: Previously, when parsing
      include files, they were also added to existing_profiles. This is
      superfluous, only real profiles need to be stored there.
    • Christian Boltz's avatar
      split off get_new_profile_filename() · a6b8d149
      Christian Boltz authored
      ... and call it from get_profile_filename_* if get_new is True
      (= always with the current code)
    • Christian Boltz's avatar
      split get_profile_filename into .._from_profile_name and .._from_attachment · ec741424
      Christian Boltz authored
      Split get_profile_filename() into
      - get_profile_filename_from_profile_name() (parameter: a profile name)
      - get_profile_filename_from_attachment() (parameter: an attachment)
      Currently both functions call get_profile_filename_orig() (formerly
      get_profile_filename()) so the behaviour doesn't change yet.
      The most important part of this commit is changing all
      get_profile_filename() calls to use one of the new functions to make
      clear if they specify a profile or an attachment/executable as
      As promised, the is_attachment parameter starts to get used in this
      patch ;-)
      Note: The get_new parameter (which I'll explain in the patch actually
      using it) is set to True in all calls to the new functions.
      The long term plan is to get rid of it in most cases (hence defaulting
      to False), but that will need more testing.
    • Christian Boltz's avatar
      Add is_attachment parameter to write_profile · bc783372
      Christian Boltz authored
      The minitools call write_profile(), write_profile_feedback_ui() and
      serialize_profile() with the _attachment_ as parameter.
      However, aa-logprof etc. call them with the _profile name_ as parameter.
      This patch adds an is_attachment parameter to write_profile() and
      write_profile_feedback_ui(). It also passes it through to
      serialize_profile() via the options parameter.
      If is_attachment is True, the parameter will be handled as attachment,
      otherwise it is expected to be a profile name.
      tools.py gets changed to set is_attachment to True when calling the
      functions listed above to make clear that the parameter is an attachment.
      Note: This patch only adds the is_attachment parameter/option, but
      doesn't change any behaviour. That will happen in the next patch.
  6. 15 Oct, 2018 1 commit
  7. 13 Oct, 2018 1 commit
  8. 11 Oct, 2018 1 commit
    • Christian Boltz's avatar
      Fix aa-mergeprof crash caused by accidentially initialzed hat · bc492533
      Christian Boltz authored
      Hasher causes some fun in aa-mergeprof: If the profile in
      /etc/apparmor.d/ has a hat or subprofile that doesn't exist in the
      to-be-merged profile, aa-mergeprof crashes. This is caused by reading
      self.other.aa[program][hat]['include'] which accidently "creates" that
      profile inside the aa hasher as empty hasher (instead of ProfileStorage).
      Later, the code loops over self.other.aa[profile].keys(), expects
      everything to be ProfileStorage, and explodes [1] when for example
      trying to run .delete_duplicates on the hasher (which obviously doesn't
      provide this method).
      This patch adds checks to all self.other.aa accesses in
      CleanProf.remove_duplicate_rules() to avoid accidently creating new keys
      in the hasher.
      Interestingly this bug survived unnoticed for years (at least since
      [1] last lines of the backtrace:
        File ".../utils/apparmor/cleanprofile.py", line 42, in compare_profiles
          deleted += self.remove_duplicate_rules(profile)
        File ".../utils/apparmor/cleanprofile.py", line 65, in remove_duplicate_rules
          deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc)
        File ".../utils/apparmor/aa.py", line 1680, in delete_duplicates
          deleted += profile[rule_type].delete_duplicates(include[incname][incname][rule_type])
      AttributeError: 'collections.defaultdict' object has no attribute 'delete_duplicates'
  9. 03 Oct, 2018 1 commit
  10. 01 Oct, 2018 1 commit
  11. 26 Sep, 2018 1 commit
    • Christian Boltz's avatar
      Add basic support for abi rules to the tools · 072d3e04
      Christian Boltz authored
      Add basic "understand and keep" support for abi rules, where
      "understand" means to not error out when seeing an abi rule, and "keep"
      simply means to keep the original abi rule when serializing a profile.
      On the long term, abi rules should be parsed (similar to include rules),
      but for now, this patch is the smallest possible changeset and easy to
      Note that the only added test is via cleanprof_test.* which is used by
      minitools_test.py - and does _not_ run if you do a 'make check'.
      Oh, and of course the simple_tests/abi/ files also get parsed by
      Also note that serialize_profile_from_old_profile() (which no longer
      exists in master, "only" in <= 2.13) would in theory also need support
      for abi rules. In practise, making this another case of
      "serialize_profile_from_old_profile() has known issues" is probably
      fine, but we should at least test that "(V)iew changes" doesn't break if
      an abi rule is present.
  12. 24 Sep, 2018 1 commit
  13. 14 Sep, 2018 1 commit
  14. 13 Sep, 2018 2 commits
  15. 22 Aug, 2018 1 commit
  16. 05 Aug, 2018 1 commit
  17. 25 Jul, 2018 9 commits
  18. 12 Jul, 2018 1 commit
  19. 09 Jul, 2018 1 commit
  20. 03 Jul, 2018 1 commit
    • Christian Boltz's avatar
      Fix unsetting filename in get_profile() · 73b33bdf
      Christian Boltz authored
      When creating a new profile with aa-genprof, get_profile() searches for
      an inactive ("extra") profile and, if it finds one, removes the filename
      from that profile so that it gets stored in /etc/apparmor.d/ later.
      However, it used .pop() to remove the filename, which explodes since
      ProfileStorage is a class now.
      This patch fixes this (tested manually).
  21. 25 Jun, 2018 5 commits
  22. 20 Jun, 2018 1 commit