Merge branch 'cboltz-abi-2.13' into 'apparmor-2.13'

2.13: Add basic support for abi rules to the tools

Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.

On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.

Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does not run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.

BTW: Even serialize_profile_from_old_profile() can handle abi rules :-)

This is a backport of 072d3e04 / !202 (merged) to
2.13 (with some adjustments because that commit didn't appy cleanly)

I propose this patch for 2.10..2.13

PR: https://gitlab.com/apparmor/apparmor/merge_requests/216
Acked-by: John Johansen <john.johansen@canonical.com>

utils/apparmor/aa.py

@@ -40,7 +40,7 @@ import apparmor.ui as aaui
 from apparmor.aamode import str_to_mode, split_mode
 
 from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
-                            RE_PROFILE_ALIAS,
+                            RE_ABI, RE_PROFILE_ALIAS,
                             RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL,
                             RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
                             RE_PROFILE_CHANGE_HAT,
@@ -49,7 +49,7 @@ from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
                             RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
                             strip_quotes, parse_profile_start_line, re_match_include )
 
-from apparmor.profile_storage import ProfileStorage, add_or_remove_flag, ruletypes
+from apparmor.profile_storage import ProfileStorage, add_or_remove_flag, ruletypes, write_abi
 
 import apparmor.rules as aarules
 
@@ -2313,6 +2313,16 @@ def parse_profile_data(data, file, do_include):
             # Conditional Boolean defined
             pass
 
+        elif RE_ABI.search(line):
+            if profile:
+                profile_data[profile][hat]['abi'].append(line)
+            else:
+                if not filelist.get(file):
+                    filelist[file] = hasher()
+                if not filelist[file].get('abi'):
+                    filelist[file]['abi'] = []
+                filelist[file]['abi'].append(line)
+
         elif re_match_include(line):
             # Include files
             include_name = re_match_include(line)
@@ -2781,7 +2791,8 @@ def write_file(prof_data, depth):
     return data
 
 def write_rules(prof_data, depth):
-    data = write_alias(prof_data, depth)
+    data = write_abi(prof_data, depth)
+    data += write_alias(prof_data, depth)
     data += write_list_vars(prof_data, depth)
     data += write_includes(prof_data, depth)
     data += write_rlimits(prof_data, depth)
@@ -2871,6 +2882,7 @@ def serialize_profile(profile_data, name, options):
 
     prof_filename = get_profile_filename(name)
     if filelist.get(prof_filename, False):
+        data += write_abi(filelist[prof_filename], 0)
         data += write_alias(filelist[prof_filename], 0)
         data += write_list_vars(filelist[prof_filename], 0)
         data += write_includes(filelist[prof_filename], 0)
@@ -2943,7 +2955,8 @@ def serialize_profile_from_old_profile(profile_data, name, options):
     with open_file_read(prof_filename) as f_in:
         profile = None
         hat = None
-        write_methods = {'alias': write_alias,
+        write_methods = {'abi': write_abi,
+                         'alias': write_alias,
                          'lvar': write_list_vars,
                          'include': write_includes,
                          'rlimit': write_rlimits,

utils/apparmor/profile_storage.py

@@ -52,6 +52,7 @@ class ProfileStorage:
             data[rule] = ruletypes[rule]['ruleset']()
 
         data['alias']            = dict()
+        data['abi']              = []
         data['include']          = dict()
         data['localinclude']     = dict()
         data['lvar']             = dict()
@@ -131,3 +132,14 @@ def add_or_remove_flag(flags, flag_to_change, set_flag):
             flags.remove(flag_to_change)
 
     return sorted(flags)
+
+def write_abi(ref, depth):
+    pre = '  ' * depth
+    data = []
+
+    if ref.get('abi'):
+        for line in ref.get('abi'):
+            data.append('%s%s' % (pre, line))
+        data.append('')
+
+    return data

utils/apparmor/regex.py

@@ -132,6 +132,7 @@ def parse_profile_start_line(line, filename):
 
     return result
 
+RE_ABI = re.compile('^\s*#?abi\s*(<(?P<magicpath>.*)>|"(?P<quotedpath>.*)"|(?P<unquotedpath>[^<>"]*))' + RE_COMMA_EOL)
 
 RE_INCLUDE = re.compile('^\s*#?include\s*(<(?P<magicpath>.*)>|"(?P<quotedpath>.*)"|(?P<unquotedpath>[^<>"]*))' + RE_EOL)
 

utils/test/cleanprof_test.in

@@ -2,6 +2,7 @@
 #include <tunables/global>
 
 		alias /foo    ->    /bar	,
+  abi  <abi/4.19>    ,
 
 /usr/bin/a/simple/cleanprof/test/profile {
 	# Just for the heck of it, this comment wont see the day of light
@@ -14,6 +15,7 @@
     change_profile,
 
     network inet stream,
+               abi  "abi/4.20"    ,
     network stream,
 
 	#Below rule comes from abstractions/base

utils/test/cleanprof_test.out

@@ -1,3 +1,5 @@
+abi  <abi/4.19>    ,
+
 alias /foo -> /bar,
 
 #include <tunables/global>
@@ -6,6 +8,8 @@ alias /foo -> /bar,
 
 
 /usr/bin/a/simple/cleanprof/test/profile {
+  abi  "abi/4.20"    ,
+
   #include <abstractions/base>
 
   set rlimit nofile <= 256,