[25/38] Set audit mode for all options

Add set_options_audit_mode() to switch the audit mode in all options
offered by aa-logprof and aa-mergeprof, not only the "original" rule
(in aa-logprof, this means the non-globbed rule_obj).

As usual, add some tests to ensure the function works as expected.


Acked-by: Steve Beattie <steve@nxnw.org>

utils/aa-mergeprof

@@ -26,7 +26,7 @@ import apparmor.ui as aaui
 
 from apparmor.aa import (add_to_options, available_buttons, combine_name, delete_duplicates,
                          get_profile_filename, is_known_rule, match_includes,
-                         propose_file_rules, selection_to_rule_obj)
+                         set_options_audit_mode, propose_file_rules, selection_to_rule_obj)
 from apparmor.aare import AARE
 from apparmor.common import AppArmorException
 from apparmor.regex import re_match_include
@@ -694,8 +694,7 @@ class Merge(object):
                                     rule_obj.audit = False
                                     rule_obj.raw_rule = None
 
-                                options[len(options) - 1] = rule_obj.get_clean()
+                                options = set_options_audit_mode(rule_obj, options)
-                                q.options = options
 
                             elif ans == 'CMD_ALLOW':
                                 done = True

utils/apparmor/aa.py

@@ -1586,8 +1586,7 @@ def ask_the_questions():
                                     rule_obj.audit = False
                                     rule_obj.raw_rule = None
 
-                                options[len(options) - 1] = rule_obj.get_clean()
+                                options = set_options_audit_mode(rule_obj, options)
-                                q.options = options
 
                             elif ans == 'CMD_ALLOW':
                                 done = True
@@ -1666,6 +1665,24 @@ def selection_to_rule_obj(rule_obj, selection):
     rule_type = type(rule_obj)
     return rule_type.parse(selection)
 
+def set_options_audit_mode(rule_obj, options):
+    '''change audit state in options (proposed rules) to audit state in rule_obj.
+       #include options will be kept unchanged
+    '''
+    new_options = []
+
+    for rule in options:
+        if re_match_include(rule):
+            new_options.append(rule)
+        else:
+            parsed_rule = selection_to_rule_obj(rule_obj, rule)
+            parsed_rule.audit = rule_obj.audit
+            parsed_rule.raw_rule = None
+            new_options.append(parsed_rule.get_raw())
+
+    return new_options
+
+
 def ask_the_questions_OLD_FILE_CODE(): # XXX unused
                 global seen_events
                 # Process all the path entries.

utils/test/test-aa.py

@@ -19,7 +19,7 @@ import sys
 
 import apparmor.aa  # needed to set global vars in some tests
 from apparmor.aa import (check_for_apparmor, get_output, get_reqs, get_interpreter_and_abstraction, create_new_profile,
-     get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
+     get_profile_flags, set_profile_flags, set_options_audit_mode, is_skippable_file, is_skippable_dir,
      parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header,
      var_transform, serialize_parse_profile_start, get_file_perms, propose_file_rules)
 from apparmor.aare import AARE
@@ -399,6 +399,19 @@ class AaTest_set_profile_flags(AaTestWithTempdir):
         with self.assertRaises(IOError):
             set_profile_flags('%s/file-not-found' % self.tmpdir, '/foo', 'audit')
 
+class AaTest_set_options_audit_mode(AATest):
+    tests = [
+        ((FileRule.parse('audit /foo/bar r,'),      ['/foo/bar r,', '/foo/* r,', '/** r,']                      ), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']),
+        ((FileRule.parse('audit /foo/bar r,'),      ['/foo/bar r,', 'audit /foo/* r,', 'audit /** r,']          ), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']),
+        ((FileRule.parse('/foo/bar r,'),            ['/foo/bar r,', '/foo/* r,', '/** r,']                      ), ['/foo/bar r,', '/foo/* r,', '/** r,']),
+        ((FileRule.parse('/foo/bar r,'),            ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']    ), ['/foo/bar r,', '/foo/* r,', '/** r,']),
+        ((FileRule.parse('audit /foo/bar r,'),      ['/foo/bar r,', '/foo/* r,', '#include <abstractions/base>']), ['audit /foo/bar r,', 'audit /foo/* r,', '#include <abstractions/base>']),
+    ]
+
+    def _run_test(self, params, expected):
+        rule_obj, options = params
+        new_options = set_options_audit_mode(rule_obj, options)
+        self.assertEqual(new_options, expected)
 
 class AaTest_is_skippable_file(AATest):
     def test_not_skippable_01(self):