mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity
apparmor/utils/aa-mergeprof

492 lines
21 KiB
Plaintext
Raw Normal View History

Switch utils to python3 As discussed a while ago, switch the utils (including their tests) to use python3 by default. While on it, drop usage of "env" to always get the system python3 instead of a random one that happens to live somewhere in $PATH. In practise, this patch doesn't change much - AFAIK openSUSE, Debian and Ubuntu already patch aa-* to use python3. Also add a note to README to officially deprecate Python 2.x. (I won't break Python 2.x support intentionally - unless some future change gives me a very good reason to finally drop Python 2.x support.) Acked-by: Seth Arnold <seth.arnold@canonical.com> (since 2016-08-23, but the commit had to wait for the FileRule series because it touches test-file.py)
2016-10-01 20:57:09 +02:00
#! /usr/bin/python3
Added license headers
2013-09-28 20:43:06 +05:30
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
load variables in ask_the_questions() Variables can be used in several rule types (from the existing *Rule classes: change_profile, dbus, ptrace, signal). It seems nobody uses variables with those rules, otherwise we'd have received a bugreport ;-) I noticed this while working on FileRule, where usage of variables is more common. The file code in bzr (not using a *Rule class) already loads the variables, so old versions don't need changes for file rule handling. However, 2.10 already has ChangeProfileRule and therefore also needs this fix. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
2016-05-10 14:32:46 +02:00
# Copyright (C) 2014-2016 Christian Boltz <apparmor@cboltz.de>
Added license headers
2013-09-28 20:43:06 +05:30
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
import argparse
aa-mergeprof: honor -d parameter (it was ignored until now) Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
2014-08-04 20:19:08 +02:00
import os
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
import apparmor.aa
import apparmor.aamode
Re-order imports in aa-mergeprof and rule/capability.py Acked-by: Christian Boltz <apparmor@cboltz.de>
2016-06-10 01:18:32 +05:30
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
import apparmor.severity
seperated the code to check for duplicates into a separate module, will be using it to remove duplicates/superfluous rules/includes from base and other profiles in the aa-mergeprof
2013-09-17 22:30:48 +05:30
import apparmor.cleanprofile as cleanprofile
fix aa-mergeprof to - import apparmor.ui as aaui - call aaui.UI_*() instead of apparmor.aa.UI_*() - use apparmor.aamode.AA_MAY_EXEC instead of apparmor.aa.AA_MAY_EXEC Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
2014-07-28 00:24:26 +02:00
import apparmor.ui as aaui
Added manpages for the tools, fixes from rev 59..62, some fixes from rev 58
2013-09-19 10:32:19 +05:30
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
from apparmor.aa import (add_to_options, available_buttons, combine_name, delete_duplicates,
[41/38] let aa-mergeprof ask about new hats and subprofiles If a merged profile contains additional hats or subprofiles, the "old" aa-mergeprof silently created them as additional hasher elements (partly buggy, because subprofiles would end up as '^/subprofile' instead of 'profile /subprofile'). After switching to FileRule, aa-mergeprof crashes on new hats or subprofiles. This patch adds code to ask the user if the new hat or subprofile should be added - which means this patch replaces two bugs (crash + silently adding subprofiles and hats) with a new feature ;-) The new questions also add a new text CMD_ADDSUBPROFILE in ui.py. Finally, the new "button" combinations get added to test-translations.py. If you want to test, try to aa-mergeprof this profile (the subprofile and hat are dummies, nothing ping would really require): #include <tunables/global> /{usr/,}bin/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, network inet6 raw, /{,usr/}bin/ping mixr, /etc/modules.conf r, ^hat { /bin/hat r, /bin/bash px, } profile /subprofile { /bin/subprofile r, /bin/bash px, } # Site-specific additions and overrides. See local/README for details. #include <local/bin.ping> } Note that this patch is not covered by unittests, but it passed all my manual tests. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1507469
2016-10-01 20:21:06 +02:00
get_profile_filename, is_known_rule, match_includes, profile_storage,
[25/38] Set audit mode for all options Add set_options_audit_mode() to switch the audit mode in all options offered by aa-logprof and aa-mergeprof, not only the "original" rule (in aa-logprof, this means the non-globbed rule_obj). As usual, add some tests to ensure the function works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:05:27 +02:00
set_options_audit_mode, propose_file_rules, selection_to_rule_obj)
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
from apparmor.aare import AARE
Re-order imports in aa-mergeprof and rule/capability.py Acked-by: Christian Boltz <apparmor@cboltz.de>
2016-06-10 01:18:32 +05:30
from apparmor.common import AppArmorException
from apparmor.regex import re_match_include
Improve exception handling Instead of always showing a backtrace, - for AppArmorException (used for profile syntax errors etc.), print only the exceptions value because a backtrace is superfluous and would confuse users. - for other (unexpected) exceptions, print backtrace and save detailed information in a file in /tmp/ (including variable content etc.) to make debugging easier. This is done by adding the apparmor.fail module which contains a custom exception handler (using cgitb, except for AppArmorException). Also change all python aa-* tools to use the new exception handler. Note: aa-audit did show backtraces only if the --trace option was given. This is superfluous with the improved exception handling, therefore this patch removes the --trace option. (The other aa-* tools never had this option.) If you want to test the behaviour of the new exception handler, you can use this script: #!/usr/bin/python from apparmor.common import AppArmorException, AppArmorBug from apparmor.fail import enable_aa_exception_handler enable_aa_exception_handler() # choose one ;-) raise AppArmorException('Harmless example failure') #raise AppArmorBug('b\xe4d bug!') #raise Exception('something is broken!') Acked-by: Seth Arnold <seth.arnold@canonical.com>
2015-07-06 22:02:34 +02:00
# setup exception handling
from apparmor.fail import enable_aa_exception_handler
enable_aa_exception_handler()
Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly.
2014-02-10 22:15:05 -08:00
# setup module translations
Simplify the work tools and modules need to do to get the shared translations. External utilities can still use their own textdomains if they have strings that are not part of the apparmor-utils catalog.
2014-02-11 16:23:21 -08:00
from apparmor.translations import init_translation
_ = init_translation()
Convert to using python's modular translations interface. This allows the utility python modules to be used inside another tool with another textdomain binding and still have the translations for that tool and the stuff internal to the apparmor module convert properly.
2014-02-10 22:15:05 -08:00
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
parser = argparse.ArgumentParser(description=_('Merge the given profiles into /etc/apparmor.d/ (or the directory specified with -d)'))
more aa-mergeprof fixes - change --help for files - "Profile(s) to merge" instead of "base profile" - display the profile to save when asking to save it - disable searching for existing network rules in abstractions because it crashes. This doesn't hurt too much, see https://bugs.launchpad.net/apparmor/+bug/1382241 Acked-by: Steve Beattie <steve@nxnw.org>
2014-10-16 23:35:06 +02:00
parser.add_argument('files', nargs='+', type=str, help=_('Profile(s) to merge'))
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
#parser.add_argument('other', nargs='?', type=str, help=_('other profile'))
Added help messages to translate strings and a few other minor fixes
2013-09-22 15:25:20 +05:30
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
Add a warning to aa-mergeprof --help that the syntax will change in the future. Also remove --auto, which is not implemented yet.
2014-09-04 01:49:47 +02:00
#parser.add_argument('-a', '--auto', action='store_true', help=_('Automatically merge profiles, exits incase of *x conflicts'))
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
args = parser.parse_args()
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
args.other = None
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
# 2-way merge or 3-way merge based on number of params
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
merge_mode = 2 #if args.other == None else 3
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
profiles = [args.files, [args.other]]
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
aa-mergeprof: honor -d parameter (it was ignored until now) Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
2014-08-04 20:19:08 +02:00
profiledir = args.dir
if profiledir:
apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
if not os.path.isdir(apparmor.aa.profile_dir):
Fix raising AppArmorException in aa-mergeprof aa-mergeprof failed to fail ;-) when it should raise an AppArmorException. Instead, it failed with AttributeError: 'module' object has no attribute 'AppArmorException' I confirmed this bug in trunk and 2.9. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
2015-05-18 01:35:51 +02:00
raise AppArmorException(_("%s is not a directory.") %profiledir)
aa-mergeprof: honor -d parameter (it was ignored until now) Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
2014-08-04 20:19:08 +02:00
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
def reset_aa():
apparmor.aa.aa = apparmor.aa.hasher()
apparmor.aa.filelist = apparmor.aa.hasher()
apparmor.aa.include = dict()
apparmor.aa.existing_profiles = apparmor.aa.hasher()
apparmor.aa.original_aa = apparmor.aa.hasher()
def find_profiles_from_files(files):
profile_to_filename = dict()
for file_name in files:
apparmor.aa.read_profile(file_name, True)
for profile_name in apparmor.aa.filelist[file_name]['profiles'].keys():
profile_to_filename[profile_name] = file_name
reset_aa()
return profile_to_filename
def find_files_from_profiles(profiles):
profile_to_filename = dict()
apparmor.aa.read_profiles()
for profile_name in profiles:
profile_to_filename[profile_name] = apparmor.aa.get_profile_filename(profile_name)
reset_aa()
return profile_to_filename
aa-mergeprof: honor -d parameter (it was ignored until now) Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
2014-08-04 20:19:08 +02:00
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
def main():
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
profiles_to_merge = set()
base_files, other_files = profiles
base_profile_to_file = find_profiles_from_files(base_files)
profiles_to_merge = profiles_to_merge.union(set(base_profile_to_file.keys()))
other_profile_to_file = dict()
if merge_mode == 3:
other_profile_to_file = find_profiles_from_files(other_files)
profiles_to_merge.add(other_profile_to_file.keys())
user_profile_to_file = find_files_from_profiles(profiles_to_merge)
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
# print(base_files,"\n",other_files)
# print(base_profile_to_file,"\n",other_profile_to_file,"\n",user_profile_to_file)
# print(profiles_to_merge)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
for profile_name in profiles_to_merge:
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
aaui.UI_Info("\n\n" + _("Merging profile for %s" % profile_name))
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
user_file = user_profile_to_file[profile_name]
base_file = base_profile_to_file.get(profile_name, None)
other_file = None
if merge_mode == 3:
other_file = other_profile_to_file.get(profile_name, None)
if base_file == None:
if other_file == None:
continue
act([user_file, other_file, None], 2, profile_name)
else:
if other_file == None:
act([user_file, base_file, None], 2, profile_name)
else:
act([user_file, base_file, other_file], 3, profile_name)
reset_aa()
def act(files, merge_mode, merging_profile):
mergeprofiles = Merge(files)
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
#Get rid of common/superfluous stuff
[30/38] Re-enable clear_common() call in aa-mergeprof The clear_common() call was disabled because it crashed in delete_path_duplicates(). With the switch to FileRule, this function no longer exists and therefore it can't crash ;-) This patch re-enables the clear_common() call to avoid asking superfluous questions. References: https://bugs.launchpad.net/apparmor/+bug/1382236 Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:09:36 +02:00
mergeprofiles.clear_common()
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Add a warning to aa-mergeprof --help that the syntax will change in the future. Also remove --auto, which is not implemented yet.
2014-09-04 01:49:47 +02:00
# if not args.auto:
if 1 == 1: # workaround to avoid lots of whitespace changes
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
if merge_mode == 3:
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
mergeprofiles.ask_the_questions('other', merging_profile)
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
mergeprofiles.clear_common()
added handler for conflicting *x access
2013-09-23 23:56:28 +05:30
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
mergeprofiles.ask_the_questions('base', merging_profile)
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q = aaui.PromptQuestion()
q.title = _('Changed Local Profiles')
q.explanation = _('The following local profiles were changed. Would you like to save them?')
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
q.functions = ['CMD_SAVE_CHANGES', 'CMD_VIEW_CHANGES', 'CMD_ABORT', 'CMD_IGNORE_ENTRY']
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q.default = 'CMD_VIEW_CHANGES'
more aa-mergeprof fixes - change --help for files - "Profile(s) to merge" instead of "base profile" - display the profile to save when asking to save it - disable searching for existing network rules in abstractions because it crashes. This doesn't hurt too much, see https://bugs.launchpad.net/apparmor/+bug/1382241 Acked-by: Steve Beattie <steve@nxnw.org>
2014-10-16 23:35:06 +02:00
q.options = [merging_profile]
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q.selected = 0
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
ans = ''
arg = None
programs = list(mergeprofiles.user.aa.keys())
program = programs[0]
while ans != 'CMD_SAVE_CHANGES':
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
ans, arg = q.promptUser()
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
if ans == 'CMD_SAVE_CHANGES':
apparmor.aa.write_profile_ui_feedback(program)
apparmor.aa.reload_base(program)
elif ans == 'CMD_VIEW_CHANGES':
for program in programs:
apparmor.aa.original_aa[program] = apparmor.aa.deepcopy(apparmor.aa.aa[program])
#oldprofile = apparmor.serialize_profile(apparmor.original_aa[program], program, '')
newprofile = apparmor.aa.serialize_profile(mergeprofiles.user.aa[program], program, '')
apparmor.aa.display_changes_with_comments(mergeprofiles.user.filename, newprofile)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
elif ans == 'CMD_IGNORE_ENTRY':
break
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Only ran sed -i s/ *// in ./apparmor/*.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something
2013-09-22 22:51:30 +05:30
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
class Merge(object):
def __init__(self, profiles):
user, base, other = profiles
Only ran sed -i s/ *// in ./apparmor/*.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something
2013-09-22 22:51:30 +05:30
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
#Read and parse base profile and save profile data, include data from it and reset them
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
apparmor.aa.read_profile(base, True)
fix for the delete count
2013-09-23 03:47:15 +05:30
self.base = cleanprofile.Prof(base)
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
reset_aa()
Only ran sed -i s/ *// in ./apparmor/*.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something
2013-09-22 22:51:30 +05:30
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
#Read and parse other profile and save profile data, include data from it and reset them
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
if merge_mode == 3:
apparmor.aa.read_profile(other, True)
self.other = cleanprofile.Prof(other)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
reset_aa()
Only ran sed -i s/ *// in ./apparmor/*.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something
2013-09-22 22:51:30 +05:30
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
#Read and parse user profile
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
apparmor.aa.read_profile(user, True)
fix for the delete count
2013-09-23 03:47:15 +05:30
self.user = cleanprofile.Prof(user)
Only ran sed -i s/ *// in ./apparmor/*.py , ./Tools/aa* and ./Testing/*.py no other changes, should ignore this commit unless it broke something
2013-09-22 22:51:30 +05:30
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
def clear_common(self):
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
deleted = 0
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
if merge_mode == 3:
#Remove off the parts in other profile which are common/superfluous from user profile
user_other = cleanprofile.CleanProf(False, self.user, self.other)
deleted += user_other.compare_profiles()
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
#Remove off the parts in base profile which are common/superfluous from user profile
fix for the delete count
2013-09-23 03:47:15 +05:30
user_base = cleanprofile.CleanProf(False, self.user, self.base)
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
deleted += user_base.compare_profiles()
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
modify aa-mergeprof to: - allow users to merge two profiles (2-way merge) using aa-mergeprof by making the third profile optional - re-enable code that cleaned up base and other profile and using it in deleted count (was disabled due to pyflakes thinking it was unused) Patch by Kshitij Gupta <kgupta8592@gmail.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-07-29 12:39:12 +02:00
if merge_mode == 3:
#Remove off the parts in other profile which are common/superfluous from base profile
base_other = cleanprofile.CleanProf(False, self.base, self.other)
deleted += base_other.compare_profiles()
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
[32/38] Re-implement exec conflict handling in aa-mergeprof Replace the old (hasher-based) conflict_mode() with the new (FileRule-based) ask_conflict_mode() function. If it detects conflicting exec rules, it asks the user which one to keep. Also call ask_conflict_mode() from ask_the_questions() so that it is actually used. Note: This patch isn't covered by unittests, but I did some manual testing to make sure it works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:12:30 +02:00
def ask_conflict_mode(self, profile, hat, old_profile, merge_profile):
'''ask user about conflicting exec rules'''
for oldrule in old_profile['file'].rules:
conflictingrules = merge_profile['file'].get_exec_conflict_rules(oldrule)
if conflictingrules.rules:
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q = aaui.PromptQuestion()
[32/38] Re-implement exec conflict handling in aa-mergeprof Replace the old (hasher-based) conflict_mode() with the new (FileRule-based) ask_conflict_mode() function. If it detects conflicting exec rules, it asks the user which one to keep. Also call ask_conflict_mode() from ask_the_questions() so that it is actually used. Note: This patch isn't covered by unittests, but I did some manual testing to make sure it works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:12:30 +02:00
q.headers = [_('Path'), oldrule.path.regex]
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q.headers += [_('Select the appropriate mode'), '']
Fixes netrule deletion for includes
2013-09-23 23:05:25 +05:30
options = []
[32/38] Re-implement exec conflict handling in aa-mergeprof Replace the old (hasher-based) conflict_mode() with the new (FileRule-based) ask_conflict_mode() function. If it detects conflicting exec rules, it asks the user which one to keep. Also call ask_conflict_mode() from ask_the_questions() so that it is actually used. Note: This patch isn't covered by unittests, but I did some manual testing to make sure it works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:12:30 +02:00
options.append(oldrule.get_clean())
for rule in conflictingrules.rules:
options.append(rule.get_clean())
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q.options = options
q.functions = ['CMD_ALLOW', 'CMD_ABORT']
Fixes netrule deletion for includes
2013-09-23 23:05:25 +05:30
done = False
while not done:
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
ans, selected = q.promptUser()
Fixes netrule deletion for includes
2013-09-23 23:05:25 +05:30
if ans == 'CMD_ALLOW':
added handler for conflicting *x access
2013-09-23 23:56:28 +05:30
if selected == 0:
[32/38] Re-implement exec conflict handling in aa-mergeprof Replace the old (hasher-based) conflict_mode() with the new (FileRule-based) ask_conflict_mode() function. If it detects conflicting exec rules, it asks the user which one to keep. Also call ask_conflict_mode() from ask_the_questions() so that it is actually used. Note: This patch isn't covered by unittests, but I did some manual testing to make sure it works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:12:30 +02:00
pass # just keep the existing rule
elif selected > 0:
# replace existing rule with merged one
old_profile['file'].delete(oldrule)
old_profile['file'].add(conflictingrules.rules[selected - 1])
Fixes netrule deletion for includes
2013-09-23 23:05:25 +05:30
else:
Fix raising AppArmorException in aa-mergeprof aa-mergeprof failed to fail ;-) when it should raise an AppArmorException. Instead, it failed with AttributeError: 'module' object has no attribute 'AppArmorException' I confirmed this bug in trunk and 2.9. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
2015-05-18 01:35:51 +02:00
raise AppArmorException(_('Unknown selection'))
[32/38] Re-implement exec conflict handling in aa-mergeprof Replace the old (hasher-based) conflict_mode() with the new (FileRule-based) ask_conflict_mode() function. If it detects conflicting exec rules, it asks the user which one to keep. Also call ask_conflict_mode() from ask_the_questions() so that it is actually used. Note: This patch isn't covered by unittests, but I did some manual testing to make sure it works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:12:30 +02:00
for rule in conflictingrules.rules:
merge_profile['file'].delete(rule) # make sure aa-mergeprof doesn't ask to add conflicting rules later
Fixes netrule deletion for includes
2013-09-23 23:05:25 +05:30
done = True
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
def ask_the_questions(self, other, profile):
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
aa = self.user.aa # keep references so that the code in this function can use the short name
changed = apparmor.aa.changed # (and be more in sync with aa.py ask_the_questions())
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
if other == 'other':
other = self.other
else:
other = self.base
#print(other.aa)
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
#Add the file-wide includes from the other profile to the user profile
[40/38] Load all includes in aa-mergeprof ask_the_questions() aa-mergeprof empties 'includes' when running reset_aa(). The result is KeyError: 'abstractions/newly_added_abstraction' if an include file gets added because it isn't part of 'includes' at this time. Note that you'll need to add another rule after adding the include to trigger checking the includes for superfluous rules. This fixes the regression found by Steve - which isn't really a regression, "just" one more thing that got more visible with the new code. Before, it was just an ill-addressed hasher that didn't complain ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:20:27 +02:00
apparmor.aa.loadincludes()
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
done = False
aa-mergeprof: don't ask for includes that are already there Acked-by: Steve Beattie <steve@nxnw.org>
2014-10-16 20:22:52 +02:00
options = []
for inc in other.filelist[other.filename]['include'].keys():
if not inc in self.user.filelist[self.user.filename]['include'].keys():
options.append('#include <%s>' %inc)
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
default_option = 1
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
q = aaui.PromptQuestion()
q.options = options
q.selected = default_option - 1
q.headers = [_('File includes'), _('Select the ones you wish to add')]
q.functions = ['CMD_ALLOW', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED']
q.default = 'CMD_ALLOW'
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
while not done and options:
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
ans, selected = q.promptUser()
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
if ans == 'CMD_IGNORE_ENTRY':
done = True
elif ans == 'CMD_ALLOW':
selection = options[selected]
Move re_match_include() to regex.py and improve it The function is basically a wrapper around a regex, so regex.py is a much better home. While on it, rename the regex to RE_INCLUDE, change it to named matches, use RE_EOL to handle comments and compile it outside the function, which should result in a (small) performance improvement. Also rewrite re_match_include(), let it check for empty include filenames ("#include <>") and let it raise AppArmorException in that case. Finally, adjust code calling it to the new location, and add some tests for re_match_include() Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
2015-06-19 21:41:41 +02:00
inc = re_match_include(selection)
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
self.user.filelist[self.user.filename]['include'][inc] = True
options.pop(selected)
fix aa-mergeprof to - import apparmor.ui as aaui - call aaui.UI_*() instead of apparmor.aa.UI_*() - use apparmor.aamode.AA_MAY_EXEC instead of apparmor.aa.AA_MAY_EXEC Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.
2014-07-28 00:24:26 +02:00
aaui.UI_Info(_('Adding %s to the file.') % selection)
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
elif ans == 'CMD_FINISHED':
return
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
sev_db = apparmor.aa.sev_db
if not sev_db:
sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown'))
Refractor prompts in utils. The following patch: - creates a class for prompt questions moving away from Perl hash hack for the purpose. - moves some functions to the methods for that class - fix options being incorrectly passed to questionPrompt in aa-mergeprof Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-10-07 18:36:01 +05:30
load variables in ask_the_questions() Variables can be used in several rule types (from the existing *Rule classes: change_profile, dbus, ptrace, signal). It seems nobody uses variables with those rules, otherwise we'd have received a bugreport ;-) I noticed this while working on FileRule, where usage of variables is more common. The file code in bzr (not using a *Rule class) already loads the variables, so old versions don't need changes for file rule handling. However, 2.10 already has ChangeProfileRule and therefore also needs this fix. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
2016-05-10 14:32:46 +02:00
sev_db.unload_variables()
sev_db.load_variables(get_profile_filename(profile))
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
for hat in sorted(other.aa[profile].keys()):
[41/38] let aa-mergeprof ask about new hats and subprofiles If a merged profile contains additional hats or subprofiles, the "old" aa-mergeprof silently created them as additional hasher elements (partly buggy, because subprofiles would end up as '^/subprofile' instead of 'profile /subprofile'). After switching to FileRule, aa-mergeprof crashes on new hats or subprofiles. This patch adds code to ask the user if the new hat or subprofile should be added - which means this patch replaces two bugs (crash + silently adding subprofiles and hats) with a new feature ;-) The new questions also add a new text CMD_ADDSUBPROFILE in ui.py. Finally, the new "button" combinations get added to test-translations.py. If you want to test, try to aa-mergeprof this profile (the subprofile and hat are dummies, nothing ping would really require): #include <tunables/global> /{usr/,}bin/ping { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, network inet6 raw, /{,usr/}bin/ping mixr, /etc/modules.conf r, ^hat { /bin/hat r, /bin/bash px, } profile /subprofile { /bin/subprofile r, /bin/bash px, } # Site-specific additions and overrides. See local/README for details. #include <local/bin.ping> } Note that this patch is not covered by unittests, but it passed all my manual tests. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1507469
2016-10-01 20:21:06 +02:00
if not aa[profile].get(hat):
ans = ''
while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']:
q = aaui.PromptQuestion()
q.headers += [_('Profile'), profile]
if other.aa[profile][hat]['profile']:
q.headers += [_('Requested Subprofile'), hat]
q.functions.append('CMD_ADDSUBPROFILE')
else:
q.headers += [_('Requested Hat'), hat]
q.functions.append('CMD_ADDHAT')
q.functions += ['CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED']
q.default = 'CMD_DENY'
ans = q.promptUser()[0]
if ans == 'CMD_FINISHED':
return
if ans == 'CMD_DENY':
continue # don't ask about individual rules if the user doesn't want the additional subprofile/hat
if other.aa[profile][hat]['profile']:
aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile')
aa[profile][hat]['profile'] = True
else:
aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing hat')
aa[profile][hat]['profile'] = False
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
#Add the includes from the other profile to the user profile
done = False
aa-mergeprof: don't ask for includes that are already there Acked-by: Steve Beattie <steve@nxnw.org>
2014-10-16 20:22:52 +02:00
options = []
for inc in other.aa[profile][hat]['include'].keys():
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
if not inc in aa[profile][hat]['include'].keys():
aa-mergeprof: don't ask for includes that are already there Acked-by: Steve Beattie <steve@nxnw.org>
2014-10-16 20:22:52 +02:00
options.append('#include <%s>' %inc)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
default_option = 1
q = aaui.PromptQuestion()
q.options = options
q.selected = default_option - 1
q.headers = [_('File includes'), _('Select the ones you wish to add')]
q.functions = ['CMD_ALLOW', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED']
q.default = 'CMD_ALLOW'
while not done and options:
ans, selected = q.promptUser()
if ans == 'CMD_IGNORE_ENTRY':
done = True
elif ans == 'CMD_ALLOW':
selection = options[selected]
Move re_match_include() to regex.py and improve it The function is basically a wrapper around a regex, so regex.py is a much better home. While on it, rename the regex to RE_INCLUDE, change it to named matches, use RE_EOL to handle comments and compile it outside the function, which should result in a (small) performance improvement. Also rewrite re_match_include(), let it check for empty include filenames ("#include <>") and let it raise AppArmorException in that case. Finally, adjust code calling it to the new location, and add some tests for re_match_include() Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
2015-06-19 21:41:41 +02:00
inc = re_match_include(selection)
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc)
aa[profile][hat]['include'][inc] = True
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
options.pop(selected)
aaui.UI_Info(_('Adding %s to the file.') % selection)
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
elif ans == 'CMD_FINISHED':
return
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
[32/38] Re-implement exec conflict handling in aa-mergeprof Replace the old (hasher-based) conflict_mode() with the new (FileRule-based) ask_conflict_mode() function. If it detects conflicting exec rules, it asks the user which one to keep. Also call ask_conflict_mode() from ask_the_questions() so that it is actually used. Note: This patch isn't covered by unittests, but I did some manual testing to make sure it works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:12:30 +02:00
# check for and ask about conflicting exec modes
self.ask_conflict_mode(profile, hat, aa[profile][hat], other.aa[profile][hat])
Centralize the 'ruletypes' list Having a list of rule types/classes at several places is annoying and error-prone. This patch centralizes the list in aa.py. This also means ask_the_question() in aa.py will now (in theory) support 'change_profile' and 'rlimit'. In practise, that doesn't change anything because logparser.py doesn't support change_profile events yet - and rlimit doesn't cause any log events. Also add some long overdue copyright headers. Acked-by: Seth Arnold <seth.arnold@canonical.com>
2015-12-04 12:01:32 +01:00
for ruletype in apparmor.aa.ruletypes:
Use generic names in aa-mergeprof Replace rule-specific names with generic names: - s/'capability'/ruletype/ - s/cap_obj/rule_obj/ - s/'network'/ruletype/ - s/net_obj/rule_obj/ Also set ruletype at the beginning of each block. The long-term goal is to have for ruletype in ['capability', 'network', ...]: with common code to handle all rule types, and having common names makes it easier to compare the blocks. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 23:03:51 +02:00
if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization
for rule_obj in other.aa[profile][hat][ruletype].rules:
Update aa-mergeprof to use the NetworkRule(set) class layout aa-mergeprof still used the old aa[profile][hat][allow]['netdomain'] which no longer gets populated. This resulted in not asking for merging any network rules. This patch changes ask_the_question() to the NetworkRule(set) layout. Besides that, - don't ask for network rules that are already covered. Using is_known_rule() also fixes https://bugs.launchpad.net/apparmor/+bug/1382241 - include the audit keyword in the "Network Family" headline (I'd prefer to just use the get_clean() rule, but that's another topic) - hide "(A)llow" when merging a deny rule - as a side effect of using NetworkRule, fix crashes for 'network,' and 'network foo,' rules To avoid having to repeat the list of available "buttons" and the logic to update that list, add a available_buttons() function that returns the list of available buttons depending on rule_obj.deny and rule_obj.audit to aa.py, and import it into mergeprof. I tested all changes manually. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 01:12:38 +02:00
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
if is_known_rule(aa[profile][hat], ruletype, rule_obj):
Update aa-mergeprof to use the NetworkRule(set) class layout aa-mergeprof still used the old aa[profile][hat][allow]['netdomain'] which no longer gets populated. This resulted in not asking for merging any network rules. This patch changes ask_the_question() to the NetworkRule(set) layout. Besides that, - don't ask for network rules that are already covered. Using is_known_rule() also fixes https://bugs.launchpad.net/apparmor/+bug/1382241 - include the audit keyword in the "Network Family" headline (I'd prefer to just use the get_clean() rule, but that's another topic) - hide "(A)llow" when merging a deny rule - as a side effect of using NetworkRule, fix crashes for 'network,' and 'network foo,' rules To avoid having to repeat the list of available "buttons" and the logic to update that list, add a available_buttons() function that returns the list of available buttons depending on rule_obj.deny and rule_obj.audit to aa.py, and import it into mergeprof. I tested all changes manually. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 01:12:38 +02:00
continue
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
default_option = 1
options = []
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
newincludes = match_includes(aa[profile][hat], ruletype, rule_obj)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
q = aaui.PromptQuestion()
if newincludes:
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes))))
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
if ruletype == 'file' and rule_obj.path:
options += propose_file_rules(aa[profile][hat], rule_obj)
else:
options.append(rule_obj.get_clean())
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
done = False
while not done:
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
q.options = options
q.selected = default_option - 1
Import some aa.py functions into aa-mergeprof by name This allows to drop the "apparmor.aa." prefix in ask_the_question() to get the code more in sync with aa.py ask_the_question(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:17:25 +02:00
q.headers = [_('Profile'), combine_name(profile, hat)]
aa-mergeprof: move creating the headers for capabilty and network rules inside the loop Move the code to set q.headers, q.functions and q.default for network and capability rules inside the "while not done" loop. This ensures to always have valid headers (for example, after changing the audit qualifier, the severity was "lost" before) and avoids some duplicated code. Also drop a useless "if True:" condition and change the whitespace of the following lines. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:09:38 +02:00
q.headers += rule_obj.logprof_header()
Import some aa.py functions into aa-mergeprof by name This allows to drop the "apparmor.aa." prefix in ask_the_question() to get the code more in sync with aa.py ask_the_question(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:17:25 +02:00
# Load variables into sev_db? Not needed/used for capabilities and network rules.
aa-mergeprof: move creating the headers for capabilty and network rules inside the loop Move the code to set q.headers, q.functions and q.default for network and capability rules inside the "while not done" loop. This ensures to always have valid headers (for example, after changing the audit qualifier, the severity was "lost" before) and avoids some duplicated code. Also drop a useless "if True:" condition and change the whitespace of the following lines. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:09:38 +02:00
severity = rule_obj.severity(sev_db)
if severity != sev_db.NOT_IMPLEMENTED:
q.headers += [_('Severity'), severity]
q.functions = available_buttons(rule_obj)
q.default = q.functions[0]
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
ans, selected = q.promptUser()
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
selection = options[selected]
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
if ans == 'CMD_IGNORE_ENTRY':
done = True
break
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
various aa-mergeprof fixes - remove some debug output (which Kshitij intentionally kept in the draft patch) - add a UI_Info to display which profile will be merged - disable the mergeprofiles.clear_common() call because it crashes (https://bugs.launchpad.net/apparmor/+bug/1382236) - disable (M)ore (CMD_OTHER) because it crashes - make (F)inish work everywhere - change the help text so that it doesn't mention 3-way-merge until we implement it
2014-10-16 23:25:33 +02:00
elif ans == 'CMD_FINISHED':
return
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
elif ans.startswith('CMD_AUDIT'):
Update aa-mergeprof to use the NetworkRule(set) class layout aa-mergeprof still used the old aa[profile][hat][allow]['netdomain'] which no longer gets populated. This resulted in not asking for merging any network rules. This patch changes ask_the_question() to the NetworkRule(set) layout. Besides that, - don't ask for network rules that are already covered. Using is_known_rule() also fixes https://bugs.launchpad.net/apparmor/+bug/1382241 - include the audit keyword in the "Network Family" headline (I'd prefer to just use the get_clean() rule, but that's another topic) - hide "(A)llow" when merging a deny rule - as a side effect of using NetworkRule, fix crashes for 'network,' and 'network foo,' rules To avoid having to repeat the list of available "buttons" and the logic to update that list, add a available_buttons() function that returns the list of available buttons depending on rule_obj.deny and rule_obj.audit to aa.py, and import it into mergeprof. I tested all changes manually. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 01:12:38 +02:00
if ans == 'CMD_AUDIT_NEW':
Use generic names in aa-mergeprof Replace rule-specific names with generic names: - s/'capability'/ruletype/ - s/cap_obj/rule_obj/ - s/'network'/ruletype/ - s/net_obj/rule_obj/ Also set ruletype at the beginning of each block. The long-term goal is to have for ruletype in ['capability', 'network', ...]: with common code to handle all rule types, and having common names makes it easier to compare the blocks. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 23:03:51 +02:00
rule_obj.audit = True
rule_obj.raw_rule = None
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
else:
Use generic names in aa-mergeprof Replace rule-specific names with generic names: - s/'capability'/ruletype/ - s/cap_obj/rule_obj/ - s/'network'/ruletype/ - s/net_obj/rule_obj/ Also set ruletype at the beginning of each block. The long-term goal is to have for ruletype in ['capability', 'network', ...]: with common code to handle all rule types, and having common names makes it easier to compare the blocks. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 23:03:51 +02:00
rule_obj.audit = False
rule_obj.raw_rule = None
Update aa-mergeprof to use the NetworkRule(set) class layout aa-mergeprof still used the old aa[profile][hat][allow]['netdomain'] which no longer gets populated. This resulted in not asking for merging any network rules. This patch changes ask_the_question() to the NetworkRule(set) layout. Besides that, - don't ask for network rules that are already covered. Using is_known_rule() also fixes https://bugs.launchpad.net/apparmor/+bug/1382241 - include the audit keyword in the "Network Family" headline (I'd prefer to just use the get_clean() rule, but that's another topic) - hide "(A)llow" when merging a deny rule - as a side effect of using NetworkRule, fix crashes for 'network,' and 'network foo,' rules To avoid having to repeat the list of available "buttons" and the logic to update that list, add a available_buttons() function that returns the list of available buttons depending on rule_obj.deny and rule_obj.audit to aa.py, and import it into mergeprof. I tested all changes manually. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 01:12:38 +02:00
[25/38] Set audit mode for all options Add set_options_audit_mode() to switch the audit mode in all options offered by aa-logprof and aa-mergeprof, not only the "original" rule (in aa-logprof, this means the non-globbed rule_obj). As usual, add some tests to ensure the function works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:05:27 +02:00
options = set_options_audit_mode(rule_obj, options)
Update aa-mergeprof to use the NetworkRule(set) class layout aa-mergeprof still used the old aa[profile][hat][allow]['netdomain'] which no longer gets populated. This resulted in not asking for merging any network rules. This patch changes ask_the_question() to the NetworkRule(set) layout. Besides that, - don't ask for network rules that are already covered. Using is_known_rule() also fixes https://bugs.launchpad.net/apparmor/+bug/1382241 - include the audit keyword in the "Network Family" headline (I'd prefer to just use the get_clean() rule, but that's another topic) - hide "(A)llow" when merging a deny rule - as a side effect of using NetworkRule, fix crashes for 'network,' and 'network foo,' rules To avoid having to repeat the list of available "buttons" and the logic to update that list, add a available_buttons() function that returns the list of available buttons depending on rule_obj.deny and rule_obj.audit to aa.py, and import it into mergeprof. I tested all changes manually. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 01:12:38 +02:00
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
elif ans == 'CMD_ALLOW':
done = True
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
changed[profile] = True
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
Import some aa.py functions into aa-mergeprof by name This allows to drop the "apparmor.aa." prefix in ask_the_question() to get the code more in sync with aa.py ask_the_question(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:17:25 +02:00
inc = re_match_include(selection)
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
if inc:
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
deleted = delete_duplicates(aa[profile][hat], inc)
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py Add two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py ask_the_questions(). With this patch applied, the "for ruletype in ['capability', 'network']:" block is in sync, with the exception of the sections that intentionally differ: - the check for the profile mode - the default button selection based on profile mode - the seen_events counter The patch also includes some minor whitespace fixes. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-08 22:25:44 +02:00
aa[profile][hat]['include'][inc] = True
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
aaui.UI_Info(_('Adding %s to profile.') % selection)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
aa-mergeprof: fixup some of the whitespace issues
2014-02-13 08:31:59 -08:00
Added first version of aa-mergeprof, does not include the check for conflicting ix rules yet
2013-09-23 19:32:25 +05:30
else:
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
rule_obj = selection_to_rule_obj(rule_obj, selection)
[34/38] logprof, mergeprof: cleanup superfluous rules when user adds a new rule When an user adds a new rule to a profile, cleanup / delete existing rules that are covered by the new rule, and report the number of deleted rules. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:13:49 +02:00
deleted = aa[profile][hat][ruletype].add(rule_obj, cleanup=True)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
[34/38] logprof, mergeprof: cleanup superfluous rules when user adds a new rule When an user adds a new rule to a profile, cleanup / delete existing rules that are covered by the new rule, and report the number of deleted rules. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:13:49 +02:00
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
elif ans == 'CMD_DENY':
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
if re_match_include(selection):
aaui.UI_Important("Denying via an include file isn't supported by the AppArmor tools")
else:
done = True
changed[profile] = True
rule_obj = selection_to_rule_obj(rule_obj, selection)
rule_obj.deny = True
rule_obj.raw_rule = None # reset raw rule after manually modifying rule_obj
[34/38] logprof, mergeprof: cleanup superfluous rules when user adds a new rule When an user adds a new rule to a profile, cleanup / delete existing rules that are covered by the new rule, and report the number of deleted rules. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:13:49 +02:00
deleted = aa[profile][hat][ruletype].add(rule_obj, cleanup=True)
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
[34/38] logprof, mergeprof: cleanup superfluous rules when user adds a new rule When an user adds a new rule to a profile, cleanup / delete existing rules that are covered by the new rule, and report the number of deleted rules. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:13:49 +02:00
if deleted:
aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
Unify code for network and capability rules in aa-mergeprof This means: a) for capability rules: - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - always display options, even if only one is available - use available_buttons(), which means to add the CMD_AUDIT_* button - add handling for CMD_AUDIT_* button - CMD_ALLOW: only add rule_obj if the user didn't select a #include - move around some code to get it in sync with network rule handling b) for network rules - move audit and deny to a new "Qualifier" header (only displayed if non-empty) - call rule_obj.severity() (not implemented for network rules, does nothing) - change messages to generic 'Adding %s to profile.' - move around some code to get it in sync with capability rule handling The only remaining difference is in q.headers[] and the variables feeding it: - capability rules show "Capability: foo" - network rules show "Network Family: foo" and "Socket type: bar" Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-06 14:02:02 +02:00
[18/38] Re-add globbing support for file rules to aa-logprof This change also needs some other changes in ask_the_questions(): - set q.options and q.selected inside the loop (because glob() and glob_ext() add another option) - set 'selection' outside the if block to avoid doing it in nearly every if branch - make sure to add the selected rule, not just rule_obj (which doesn't contain a modified, for example globbed, rule) - skip 'deny' if an #include is selected - re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching to FileRule) - add selection_to_rule_obj() helper function - add glob and glob with ext buttons in available_buttons() if rule_obj.can_glob or rule_obj.can_glob_ext Also apply the changes in ask_the_questions() to aa-mergeprof to keep it in sync with aa.py, and disable the old path handling in aa-mergeprof. Note: in its current state, aa-mergeprof will ask for some "superfluous" file permissions, and doesn't check for 'x' conflicts. One of the following patches will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 19:58:40 +02:00
elif ans == 'CMD_GLOB':
if not re_match_include(selection):
globbed_rule_obj = selection_to_rule_obj(rule_obj, selection)
globbed_rule_obj.glob()
options, default_option = add_to_options(options, globbed_rule_obj.get_raw())
elif ans == 'CMD_GLOBEXT':
if not re_match_include(selection):
globbed_rule_obj = selection_to_rule_obj(rule_obj, selection)
globbed_rule_obj.glob_ext()
options, default_option = add_to_options(options, globbed_rule_obj.get_raw())
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
[20/38] Re-add '(N)ew' to aa-logprof This brings back the edit option for the path of file rules. Also add it to aa-mergeprof to keep ask_the_questions() in sync. Note: aa-mergeprof will ask about path mismatchs basically always. That's because AARE is too careful on the matching - something to be fixed in a later patch. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:01:53 +02:00
elif ans == 'CMD_NEW':
if not re_match_include(selection):
edit_rule_obj = selection_to_rule_obj(rule_obj, selection)
prompt, oldpath = edit_rule_obj.edit_header()
newpath = aaui.UI_GetString(prompt, oldpath)
if newpath:
try:
input_matches_path = rule_obj.validate_edit(newpath) # note that we check against the original rule_obj here, not edit_rule_obj (which might be based on a globbed path)
except AppArmorException:
aaui.UI_Important(_('The path you entered is invalid (not starting with / or a variable)!'))
continue
if not input_matches_path:
ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %(path)s\n Entered Path: %(ans)s\nDo you really want to use this path?') % { 'path': oldpath, 'ans': newpath }
key = aaui.UI_YesNo(ynprompt, 'n')
if key == 'n':
continue
edit_rule_obj.store_edit(newpath)
options, default_option = add_to_options(options, edit_rule_obj.get_raw())
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
apparmor.aa.user_globs[newpath] = AARE(newpath, True)
[20/38] Re-add '(N)ew' to aa-logprof This brings back the edit option for the path of file rules. Also add it to aa-mergeprof to keep ask_the_questions() in sync. Note: aa-mergeprof will ask about path mismatchs basically always. That's because AARE is too careful on the matching - something to be fixed in a later patch. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:01:53 +02:00
aa-mergeprof cmdline changes, disable 3-way-merge for now This is the rebased version of the patch by Kshitij Gupta <kgupta8592@gmail.com> (mostly) original patch description: Changes to facilitate 2-way merge (maybe also 3-way) of multiple profiles as discussed on IRC This patch - moves reset method to reset_aa function - modifies message displayed to user - allows processing of multiple files in 2-way merge - disables 3-way merge till new syntax has been decided The changes reflect the approach of providing arbitrary number of files using wildcards or explicitly. The changes map the profiles in the given files to their respective files in the local directory specified using -d. Then the merges take place profile-wise. Acked-by: Steve Beattie <steve@nxnw.org>.
2014-10-16 20:06:45 +02:00
else:
done = False
Updated __init_.py tested with de_DE and hi_IN translations using old apparmor-utils.mo file, not pushing remainder of files for their lack of beauty
2013-09-12 14:42:15 +05:30
Fixed the netrule persistence issue in cleanprof, some elementary work for mergeprof
2013-09-23 02:14:11 +05:30
if __name__ == '__main__':
main()
Reference in New Issue Copy Permalink