From b98e9df766fede3f621d5ba60a60f0f13c096e3f Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Thu, 2 Mar 2017 21:24:05 +0000 Subject: [PATCH] utils: Add option to aa-easyprof to specify the apparmor_parser path When testing against a clean system without the apparmor_parser binary installed, the test-aa-easyprof.py script ends up skipping profile verification because it can't find the parser binary. This even causes a test failure due to the test_genpolicy_invalid_template_policy test. Adding a --parser option to aa-easyprof is the first step in addressing this problem. Signed-off-by: Tyler Hicks Acked-by: Christian Boltz Acked-by: Seth Arnold --- utils/aa-easyprof.pod | 6 ++++++ utils/apparmor/easyprof.py | 25 +++++++++++++++++-------- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/utils/aa-easyprof.pod b/utils/aa-easyprof.pod index 31687bf94..56ef257b2 100644 --- a/utils/aa-easyprof.pod +++ b/utils/aa-easyprof.pod @@ -57,6 +57,12 @@ for supported policy groups. The available policy groups are in AppArmor rules or policies. They are similar to AppArmor abstractions, but usually encompass more policy rules. +=item --parser PATH + +Specify the PATH of the apparmor_parser binary to use when verifying +policy. If this option is not specified, aa-easyprof will attempt to +locate the path starting with /sbin/apparmor_parser. + =item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is diff --git a/utils/apparmor/easyprof.py b/utils/apparmor/easyprof.py index 01c7fd6a5..c6e693270 100644 --- a/utils/apparmor/easyprof.py +++ b/utils/apparmor/easyprof.py @@ -259,14 +259,11 @@ def open_file_read(path): return orig -def verify_policy(policy, base=None, include=None): +def verify_policy(policy, exe, base=None, include=None): '''Verify policy compiles''' - exe = "/sbin/apparmor_parser" - if not os.path.exists(exe): - rc, exe = cmd(['which', 'apparmor_parser']) - if rc != 0: - warn("Could not find apparmor_parser. Skipping verify") - return True + if not exe: + warn("Could not find apparmor_parser. Skipping verify") + return True fn = "" # if policy starts with '/' and is one line, assume it is a path @@ -309,6 +306,14 @@ class AppArmorEasyProfile: if os.path.isfile(self.conffile): self._get_defaults() + self.parser_path = '/sbin/apparmor_parser' + if opt.parser_path: + self.parser_path = opt.parser_path + elif not os.path.exists(self.parser_path): + rc, self.parser_path = cmd(['which', 'apparmor_parser']) + if rc != 0: + self.parser_path = None + self.parser_base = "/etc/apparmor.d" if opt.parser_base: self.parser_base = opt.parser_base @@ -680,7 +685,7 @@ class AppArmorEasyProfile: if no_verify: debug("Skipping policy verification") - elif not verify_policy(policy, self.parser_base, self.parser_include): + elif not verify_policy(policy, self.parser_path, self.parser_base, self.parser_include): msg("\n" + policy) raise AppArmorException("Invalid policy") @@ -823,6 +828,10 @@ def check_for_manifest_arg_append(option, opt_str, value, parser): def add_parser_policy_args(parser): '''Add parser arguments''' + parser.add_option("--parser", + dest="parser_path", + help="The path to the profile parser used for verification", + metavar="PATH") parser.add_option("-a", "--abstractions", action="callback", callback=check_for_manifest_arg,