mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

Finally implement attachment handling

Browse Source 
This patch implements attachment handling - aa-logprof now works with
profiles that have an attachment defined, instead of ignoring audit.log
entries for those profiles.

Changes:
- parse_profile_start_line(): remove workaround that merged the
  attachment into the profile name
- parse_profile_data(): store attachment when parsing a profile
- update test_parse_profile_start_03, test_serialize_parse_profile_start_03,
  test_set_flags_nochange_09 and some parse_profile_start_line() tests -
  they now expect correct attachment handling


Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Christian Boltz 2015-04-03 17:26:26 +02:00
parent bb3c972de9
commit a0a044f346
4 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
utils/apparmor/aa.py
View File

@ -2696,6 +2696,8 @@ def parse_profile_data(data, file, do_include):
# Starting line of a profile # Starting line of a profile
if RE_PROFILE_START.search(line): if RE_PROFILE_START.search(line):
(profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat) (profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
if attachment:
profile_data[profile][hat]['attachment'] = attachment
if pps_set_profile: if pps_set_profile:
profile_data[profile][hat]['profile'] = True profile_data[profile][hat]['profile'] = True
if pps_set_hat_external: if pps_set_hat_external:

4
utils/apparmor/regex.py
View File

@ -100,10 +100,6 @@ def parse_profile_start_line(line, filename):
result['profile'] = result['namedprofile'] result['profile'] = result['namedprofile']
result['profile_keyword'] = True result['profile_keyword'] = True
if result['attachment']:
# XXX keep the broken behaviour until proper handling for attachment is implemented
result['profile'] = "%s %s" % (result['profile'], result['attachment'])
return result return result

6
utils/test/test-aa.py
View File

@ -151,7 +151,7 @@ class AaTest_set_profile_flags(AaTestWithTempdir):
def test_set_flags_nochange_08(self): def test_set_flags_nochange_08(self):
self._test_set_flags('profile /foo', 'flags=(complain)', 'complain') self._test_set_flags('profile /foo', 'flags=(complain)', 'complain')
def test_set_flags_nochange_09(self): def test_set_flags_nochange_09(self):
self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy /foo') # XXX profile_name should be 'xy' self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy')
def test_set_flags_nochange_10(self): def test_set_flags_nochange_10(self):
self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'complain', profile_name='/foo bar') self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'complain', profile_name='/foo bar')
def test_set_flags_nochange_11(self): def test_set_flags_nochange_11(self):
@ -292,7 +292,7 @@ class AaTest_parse_profile_start(AATest):
def test_parse_profile_start_03(self): def test_parse_profile_start_03(self):
result = self._parse('profile foo /foo {', None, None) # named profile result = self._parse('profile foo /foo {', None, None) # named profile
expected = ('foo /foo', 'foo /foo', '/foo', None, False, False, False) # XXX yes, that's what happens with the current code :-/ expected = ('foo', 'foo', '/foo', None, False, False, False)
self.assertEqual(result, expected) self.assertEqual(result, expected)
def test_parse_profile_start_04(self): def test_parse_profile_start_04(self):
@ -376,7 +376,7 @@ class AaTest_serialize_parse_profile_start(AATest):
def test_serialize_parse_profile_start_03(self): def test_serialize_parse_profile_start_03(self):
result = self._parse('profile foo /foo {', None, None, False, False) # named profile result = self._parse('profile foo /foo {', None, None, False, False) # named profile
expected = ('foo /foo', 'foo /foo', '/foo', None, False, True) # XXX yes, that's what happens with the current code :-/ expected = ('foo', 'foo', '/foo', None, False, True)
self.assertEqual(result, expected) self.assertEqual(result, expected)
def test_serialize_parse_profile_start_04(self): def test_serialize_parse_profile_start_04(self):

9
utils/test/test-regex_matches.py
View File

@ -429,11 +429,10 @@ class Test_parse_profile_start_line(AATest):
(' "/foo" {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), (' "/foo" {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
(' profile /foo {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), (' profile /foo {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }),
(' profile "/foo" {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), (' profile "/foo" {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }),
(' profile foo /foo {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX (' profile foo /foo {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }),
(' profile foo /foo (audit) {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }), # XXX (' profile foo /foo (audit) {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }),
(' profile "foo" "/foo" {', { 'profile': 'foo /foo','profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX (' profile "foo" "/foo" {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }),
(' profile "foo bar" /foo {', { 'profile': 'foo bar /foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar', 'attachment': '/foo', 'flags': None, 'comment': None }), # XXX (' profile "foo bar" /foo {', { 'profile': 'foo bar', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar','attachment': '/foo', 'flags': None, 'comment': None }),
# XXX lines marked with XXX include the "broken" behaviour for 'profile' - they need to be changed when attachment is handled correctly
(' /foo (complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }), (' /foo (complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }),
(' /foo flags=(complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }), (' /foo flags=(complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }),
(' /foo (complain) { # x', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': '# x'}), (' /foo (complain) { # x', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': '# x'}),