Write unix rules when saving a profile

r2637 added support for parsing unix rules, but forgot to add write
support. The result was that a profile lost its unix rules when it was
saved.

This patch adds the write_unix_rules() and write_unix() functions (based
on the write_pivot_root() and write_pivot_root_rules() functions) and
makes sure they get called at the right place.

The cleanprof testcase gets an unix rule added to ensure it's not
deleted when writing the profile. (Note that minitools_test.py is not
part of the default "make check", however I always run it.)


References: https://bugs.launchpad.net/apparmor/+bug/1522938
            https://bugzilla.opensuse.org/show_bug.cgi?id=954104



Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.

utils/apparmor/aa.py

@@ -3368,6 +3368,24 @@ def write_pivot_root(prof_data, depth):
     data += write_pivot_root_rules(prof_data, depth, 'allow')
     return data
 
+def write_unix_rules(prof_data, depth, allow):
+    pre = '  ' * depth
+    data = []
+
+    # no unix rules, so return
+    if not prof_data[allow].get('unix', False):
+        return data
+
+    for unix_rule in prof_data[allow]['unix']:
+        data.append('%s%s' % (pre, unix_rule.serialize()))
+    data.append('')
+    return data
+
+def write_unix(prof_data, depth):
+    data = write_unix_rules(prof_data, depth, 'deny')
+    data += write_unix_rules(prof_data, depth, 'allow')
+    return data
+
 def write_link_rules(prof_data, depth, allow):
     pre = '  ' * depth
     data = []
@@ -3479,6 +3497,7 @@ def write_rules(prof_data, depth):
     data += write_signal(prof_data, depth)
     data += write_ptrace(prof_data, depth)
     data += write_pivot_root(prof_data, depth)
+    data += write_unix(prof_data, depth)
     data += write_links(prof_data, depth)
     data += write_paths(prof_data, depth)
     data += write_change_profile(prof_data, depth)
@@ -3635,6 +3654,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                          'signal': write_signal,
                          'ptrace': write_ptrace,
                          'pivot_root': write_pivot_root,
+                         'unix': write_unix,
                          'link': write_links,
                          'path': write_paths,
                          'change_profile': write_change_profile,
@@ -3650,6 +3670,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                                 'signal',
                                 'ptrace',
                                 'pivot_root',
+                                'unix',
                                 'link',
                                 'path',
                                 'change_profile',
@@ -3666,6 +3687,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                     'signal': True, # not handled otherwise yet
                     'ptrace': True, # not handled otherwise yet
                     'pivot_root': True, # not handled otherwise yet
+                    'unix': True, # not handled otherwise yet
                     'link': False,
                     'path': False,
                     'change_profile': False,

utils/test/cleanprof_test.in

@@ -8,6 +8,8 @@
 	allow /usr/share/X11/locale/**  r,
 	allow /home/*/** r,
 
+    unix (receive) type=dgram,
+
     ^foo {
             /etc/fstab r,
         capability dac_override,

utils/test/cleanprof_test.out

@@ -6,6 +6,8 @@
 /usr/bin/a/simple/cleanprof/test/profile {
   #include <abstractions/base>
 
+  unix (receive) type=dgram,
+
   /home/*/** r,
   /home/foo/** w,