1. 06 Dec, 2018 1 commit
  2. 18 Nov, 2018 1 commit
    • Christian Boltz's avatar
      Fix viewing a local inactive profile in aa-genprof · 8b4e76a7
      Christian Boltz authored
      aa-genprof checks if one of the profiles in the extra profile dir
      matches the binary, and proposes to use that profile as a starting
      Since 4d722f18 the "(V)iew profile"
      option to display the proposed profile was broken.
      The easiest fix is to remember the filename in the extras directory, and
      display the file from there.
      Sidenote: when choosing to use the extra profile, it gets written to
      disk without any problems, so this bug really only affected "(V)iew
      profile" to preview the proposed extra profile.
  3. 13 Nov, 2018 1 commit
    • Christian Boltz's avatar
      parse_profile_data(): Ensure last line in a profile is valid · 4efff35b
      Christian Boltz authored
      'lastline' gets merged into 'line' (and reset to None) when reading the
      next line. If 'lastline' isn't empty after reading the whole profile,
      this means there's something unparseable at the end of the profile,
      therefore parse_profile_data() should error out.
      Also remove some simple_tests testcases from the 'exception_not_raised'
      list - they only didn't raise the exception because the invalid rule was
      the last line in the affected profile.
      Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
      discovering this bug while adding some xattr testcases that surprisingly
      didn't fail in the tools.
  4. 22 Oct, 2018 5 commits
    • Christian Boltz's avatar
      Replace existing_profiles & fix minitools for named profiles · 4d722f18
      Christian Boltz authored
      Technical stuff first:
      Replace existing_profiles (a dict with the filenames for both active and
      inactive profiles) with active_profiles and extra_profiles which are
      ProfileList()s and store the active profiles and those in the extra
      directory separately. Thanks to ProfileList, now also the relation
      between attachments and filenames is easily available.
      Also replace all usage of existing_profiles with active_profiles and
      extra_profiles, and adjust it to the ProfileList syntax everywhere.
      With this change, several bugs in aa-complain and the other minitools
      get fixed:
      - aa-complain etc. never found profiles that have a profile name
        (the attachment wasn't checked)
      - even if the profile name was given as parameter to aa-complain, it
        first did "which $parameter" so it never matched on named profiles
      - profile names with alternations (without attachment specification)
        also never matched because the old code didn't use AARE.
      References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
      (search for "As usual" ;-)
      Just for completeness - the matching still doesn't honor/expand
      variables in the profile name.
    • Christian Boltz's avatar
      Move updating existing_profiles out of parse_profile_data() · 8809218a
      Christian Boltz authored
      parse_profile_data() returns the parsed profiles, but writes to
      existing_profiles directly.
      read_profiles() calls parse_profile_data() and already handles adding
      the parsed profiles to aa, original_aa or extras, which means updating
      existing_profiles there is a much better place.
      This commit also includes a hidden change: Previously, when parsing
      include files, they were also added to existing_profiles. This is
      superfluous, only real profiles need to be stored there.
    • Christian Boltz's avatar
      split off get_new_profile_filename() · a6b8d149
      Christian Boltz authored
      ... and call it from get_profile_filename_* if get_new is True
      (= always with the current code)
    • Christian Boltz's avatar
      split get_profile_filename into .._from_profile_name and .._from_attachment · ec741424
      Christian Boltz authored
      Split get_profile_filename() into
      - get_profile_filename_from_profile_name() (parameter: a profile name)
      - get_profile_filename_from_attachment() (parameter: an attachment)
      Currently both functions call get_profile_filename_orig() (formerly
      get_profile_filename()) so the behaviour doesn't change yet.
      The most important part of this commit is changing all
      get_profile_filename() calls to use one of the new functions to make
      clear if they specify a profile or an attachment/executable as
      As promised, the is_attachment parameter starts to get used in this
      patch ;-)
      Note: The get_new parameter (which I'll explain in the patch actually
      using it) is set to True in all calls to the new functions.
      The long term plan is to get rid of it in most cases (hence defaulting
      to False), but that will need more testing.
    • Christian Boltz's avatar
      Add is_attachment parameter to write_profile · bc783372
      Christian Boltz authored
      The minitools call write_profile(), write_profile_feedback_ui() and
      serialize_profile() with the _attachment_ as parameter.
      However, aa-logprof etc. call them with the _profile name_ as parameter.
      This patch adds an is_attachment parameter to write_profile() and
      write_profile_feedback_ui(). It also passes it through to
      serialize_profile() via the options parameter.
      If is_attachment is True, the parameter will be handled as attachment,
      otherwise it is expected to be a profile name.
      tools.py gets changed to set is_attachment to True when calling the
      functions listed above to make clear that the parameter is an attachment.
      Note: This patch only adds the is_attachment parameter/option, but
      doesn't change any behaviour. That will happen in the next patch.
  5. 26 Sep, 2018 1 commit
    • Christian Boltz's avatar
      Add basic support for abi rules to the tools · 072d3e04
      Christian Boltz authored
      Add basic "understand and keep" support for abi rules, where
      "understand" means to not error out when seeing an abi rule, and "keep"
      simply means to keep the original abi rule when serializing a profile.
      On the long term, abi rules should be parsed (similar to include rules),
      but for now, this patch is the smallest possible changeset and easy to
      Note that the only added test is via cleanprof_test.* which is used by
      minitools_test.py - and does _not_ run if you do a 'make check'.
      Oh, and of course the simple_tests/abi/ files also get parsed by
      Also note that serialize_profile_from_old_profile() (which no longer
      exists in master, "only" in <= 2.13) would in theory also need support
      for abi rules. In practise, making this another case of
      "serialize_profile_from_old_profile() has known issues" is probably
      fine, but we should at least test that "(V)iew changes" doesn't break if
      an abi rule is present.
  6. 25 Jul, 2018 8 commits
  7. 09 Jul, 2018 1 commit
  8. 03 Jul, 2018 1 commit
    • Christian Boltz's avatar
      Fix unsetting filename in get_profile() · 73b33bdf
      Christian Boltz authored
      When creating a new profile with aa-genprof, get_profile() searches for
      an inactive ("extra") profile and, if it finds one, removes the filename
      from that profile so that it gets stored in /etc/apparmor.d/ later.
      However, it used .pop() to remove the filename, which explodes since
      ProfileStorage is a class now.
      This patch fixes this (tested manually).
  9. 25 Jun, 2018 5 commits
  10. 20 Jun, 2018 1 commit
  11. 09 Jun, 2018 3 commits
  12. 10 May, 2018 1 commit
    • Christian Boltz's avatar
      test-libapparmor-test_multi: initialize parent profiles · 79d9ee5c
      Christian Boltz authored
      If a log line contains a denial for a child profile, log_dict will
      (obviously) only contain the child profile. However, serialize_profile()
      expects that the parent profile is also initialized as ProfileStorage.
      This patch makes sure the parent profile gets initialized.
      It also removes 26 of the 37 reasons in the TODO note in aa.py :-)
  13. 09 May, 2018 2 commits
    • Christian Boltz's avatar
      Add get_rules_clean to ProfileStorage, and change write_rules to use it · fbfeed0b
      Christian Boltz authored
      ProfileStorage.get_rules_clean() returns all rules in a profile
      (withouth the profile header or the closing '}')
      Also change aa.py write_rules() to use get_rules_clean()
    • Christian Boltz's avatar
      move several write_* functions to apparmor.profile_storage · 66620f3e
      Christian Boltz authored
      ProfileStorage() stores the content of a profile, so it makes sense to
      also have the functions to write those rules (including helper functions
      used by these functions) in the same file.
      Note that I only moved the functions for rule types that are not handled
      by *Ruleset classes.
      The functions for writing rules stored in a *Ruleset class will
      hopefully be superfluous sooner or later (probably later because
      serialize_parse_profile_start() depends on them, and rewriting it won't
      be easy)
      Also move the test for var_transform() to test-profile-storage.py.
  14. 06 May, 2018 4 commits
    • Christian Boltz's avatar
      rewrite write_alias() · 3ee60580
      Christian Boltz authored
      Instead of calling write_pair() (which is quite complex because it needs
      to handle multiple rule types), write the alias rules directly in
      This comes with minor code duplication, but makes the code much more
      readable (3 instead of 7 %s)
    • Christian Boltz's avatar
      Fix writing alias rules · ae4ab628
      Christian Boltz authored
      write_pair() ignored the 'tail' parameter, which resulted in writing
      invalid alias rules (without the trailing comma).
      Also add an alias to test/cleanprof.* to ensure it doesn't break again.
    • Christian Boltz's avatar
      Fix writing "link subset" rules · 51453560
      Christian Boltz authored
      Writing a "link subset" rule missed a space, which resulted in something
        link subset/foo -> /bar,
      Also add a test rule to tests/cleanprof.* to ensure this doesn't break
    • Christian Boltz's avatar
      parse_profile_data(): error out on alias inside profile · f910cb55
      Christian Boltz authored
      Defining an alias is only allowed outside of a profile.
      Also add a parser test with an alias inside a profile.
  15. 05 May, 2018 2 commits
    • Christian Boltz's avatar
      simplify write_piece · 2b7920ff
      Christian Boltz authored
      write_piece() has some funny code that converts the result of
      write_header() and write_rules() (which is a list) to... a list.
      Needless to say that this is superfluous ;-)
    • Christian Boltz's avatar
      Drop some safety nets in aa.py · 62e429bc
      Christian Boltz authored
      match_includes() and is_known_rule() have safety nets to avoid troube if
      include[incname][incname] is not a valid ProfileStorage object.
      However, this situation shouldn't happen in practise anymore, so let's
      drop these now superfluous safety nets.
      I use this patch locally since months without problems.
  16. 29 Apr, 2018 1 commit
    • Christian Boltz's avatar
      is_skippable_dir(): add 'cache.d' to exclude list · 5b9497a8
      Christian Boltz authored
      This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
      parsing because parsing the binary cache, well, takes a while :-/
      Reported on the opensuse-factory mailinglist by Frank Krüger and
      confirmed by others.
  17. 14 Apr, 2018 1 commit
    • Christian Boltz's avatar
      fix regression in {get,set}_profile_flags() · f472b6bb
      Christian Boltz authored
      Since the latest change, calling {get,set}_profile_flags() with the
      profile name failed when attachment was specified ("profile foo /bar").
      Catched by the unittests.
      Also fix a whitespace issue.
  18. 12 Apr, 2018 1 commit
    • Goldwyn's avatar
      Set flags for profiles represented by a glob · 5e187daa
      Goldwyn authored
      Getting and Setting profile represented by a glob does not work correctly
      because they are checked for equality. Use a glob match to check for them.
      Also, add a warning stating that the profile being set represents multiple programs.
      traceroute is an example whose profile name is represented as
      /usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue:
      Setting /usr/sbin/traceroute to enforce mode.
      ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile
      Signed-off-by: 's avatarGoldwyn <goldwyn@fiona.lan>