diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 7c8bef18c..ffbe384e6 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -2696,6 +2696,8 @@ def parse_profile_data(data, file, do_include): # Starting line of a profile if RE_PROFILE_START.search(line): (profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat) + if attachment: + profile_data[profile][hat]['attachment'] = attachment if pps_set_profile: profile_data[profile][hat]['profile'] = True if pps_set_hat_external: diff --git a/utils/apparmor/regex.py b/utils/apparmor/regex.py index ccae1a70a..d0efd9853 100644 --- a/utils/apparmor/regex.py +++ b/utils/apparmor/regex.py @@ -100,10 +100,6 @@ def parse_profile_start_line(line, filename): result['profile'] = result['namedprofile'] result['profile_keyword'] = True - if result['attachment']: - # XXX keep the broken behaviour until proper handling for attachment is implemented - result['profile'] = "%s %s" % (result['profile'], result['attachment']) - return result diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py index 1adf27e01..37717b629 100644 --- a/utils/test/test-aa.py +++ b/utils/test/test-aa.py @@ -151,7 +151,7 @@ class AaTest_set_profile_flags(AaTestWithTempdir): def test_set_flags_nochange_08(self): self._test_set_flags('profile /foo', 'flags=(complain)', 'complain') def test_set_flags_nochange_09(self): - self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy /foo') # XXX profile_name should be 'xy' + self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy') def test_set_flags_nochange_10(self): self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'complain', profile_name='/foo bar') def test_set_flags_nochange_11(self): @@ -292,7 +292,7 @@ class AaTest_parse_profile_start(AATest): def test_parse_profile_start_03(self): result = self._parse('profile foo /foo {', None, None) # named profile - expected = ('foo /foo', 'foo /foo', '/foo', None, False, False, False) # XXX yes, that's what happens with the current code :-/ + expected = ('foo', 'foo', '/foo', None, False, False, False) self.assertEqual(result, expected) def test_parse_profile_start_04(self): @@ -376,7 +376,7 @@ class AaTest_serialize_parse_profile_start(AATest): def test_serialize_parse_profile_start_03(self): result = self._parse('profile foo /foo {', None, None, False, False) # named profile - expected = ('foo /foo', 'foo /foo', '/foo', None, False, True) # XXX yes, that's what happens with the current code :-/ + expected = ('foo', 'foo', '/foo', None, False, True) self.assertEqual(result, expected) def test_serialize_parse_profile_start_04(self): diff --git a/utils/test/test-regex_matches.py b/utils/test/test-regex_matches.py index 30c1b9ff1..40ad919a5 100644 --- a/utils/test/test-regex_matches.py +++ b/utils/test/test-regex_matches.py @@ -429,11 +429,10 @@ class Test_parse_profile_start_line(AATest): (' "/foo" {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), (' profile /foo {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), (' profile "/foo" {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), - (' profile foo /foo {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX - (' profile foo /foo (audit) {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }), # XXX - (' profile "foo" "/foo" {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX - (' profile "foo bar" /foo {', { 'profile': 'foo bar /foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX - # XXX lines marked with XXX include the "broken" behaviour for 'profile' - they need to be changed when attachment is handled correctly + (' profile foo /foo {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), + (' profile foo /foo (audit) {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }), + (' profile "foo" "/foo" {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), + (' profile "foo bar" /foo {', { 'profile': 'foo bar', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar','attachment': '/foo', 'flags': None, 'comment': None }), (' /foo (complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }), (' /foo flags=(complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }), (' /foo (complain) { # x', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': '# x'}),