mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

utils: Add option to aa-easyprof to specify the apparmor_parser path

Browse Source 
When testing against a clean system without the apparmor_parser binary
installed, the test-aa-easyprof.py script ends up skipping profile
verification because it can't find the parser binary. This even causes a
test failure due to the test_genpolicy_invalid_template_policy test.

Adding a --parser option to aa-easyprof is the first step in addressing
this problem.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Tyler Hicks 2017-03-02 21:24:05 +00:00
parent 7066649144
commit b98e9df766
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
utils/aa-easyprof.pod
View File

@ -57,6 +57,12 @@ for supported policy groups. The available policy groups are in
AppArmor rules or policies. They are similar to AppArmor abstractions, but AppArmor rules or policies. They are similar to AppArmor abstractions, but
usually encompass more policy rules. usually encompass more policy rules.
=item --parser PATH
Specify the PATH of the apparmor_parser binary to use when verifying
policy. If this option is not specified, aa-easyprof will attempt to
locate the path starting with /sbin/apparmor_parser.
=item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS =item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is

25
utils/apparmor/easyprof.py
View File

@ -259,14 +259,11 @@ def open_file_read(path):
return orig return orig
def verify_policy(policy, base=None, include=None): def verify_policy(policy, exe, base=None, include=None):
'''Verify policy compiles''' '''Verify policy compiles'''
exe = "/sbin/apparmor_parser" if not exe:
if not os.path.exists(exe): warn("Could not find apparmor_parser. Skipping verify")
rc, exe = cmd(['which', 'apparmor_parser']) return True
if rc != 0:
warn("Could not find apparmor_parser. Skipping verify")
return True
fn = "" fn = ""
# if policy starts with '/' and is one line, assume it is a path # if policy starts with '/' and is one line, assume it is a path
@ -309,6 +306,14 @@ class AppArmorEasyProfile:
if os.path.isfile(self.conffile): if os.path.isfile(self.conffile):
self._get_defaults() self._get_defaults()
self.parser_path = '/sbin/apparmor_parser'
if opt.parser_path:
self.parser_path = opt.parser_path
elif not os.path.exists(self.parser_path):
rc, self.parser_path = cmd(['which', 'apparmor_parser'])
if rc != 0:
self.parser_path = None
self.parser_base = "/etc/apparmor.d" self.parser_base = "/etc/apparmor.d"
if opt.parser_base: if opt.parser_base:
self.parser_base = opt.parser_base self.parser_base = opt.parser_base
@ -680,7 +685,7 @@ class AppArmorEasyProfile:
if no_verify: if no_verify:
debug("Skipping policy verification") debug("Skipping policy verification")
elif not verify_policy(policy, self.parser_base, self.parser_include): elif not verify_policy(policy, self.parser_path, self.parser_base, self.parser_include):
msg("\n" + policy) msg("\n" + policy)
raise AppArmorException("Invalid policy") raise AppArmorException("Invalid policy")
@ -823,6 +828,10 @@ def check_for_manifest_arg_append(option, opt_str, value, parser):
def add_parser_policy_args(parser): def add_parser_policy_args(parser):
'''Add parser arguments''' '''Add parser arguments'''
parser.add_option("--parser",
dest="parser_path",
help="The path to the profile parser used for verification",
metavar="PATH")
parser.add_option("-a", "--abstractions", parser.add_option("-a", "--abstractions",
action="callback", action="callback",
callback=check_for_manifest_arg, callback=check_for_manifest_arg,