utils: Add option to aa-easyprof to specify the apparmor_parser path

When testing against a clean system without the apparmor_parser binary installed, the test-aa-easyprof.py script ends up skipping profile verification because it can't find the parser binary. This even causes a test failure due to the test_genpolicy_invalid_template_policy test. Adding a --parser option to aa-easyprof is the first step in addressing this problem. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-22 10:07:12 +00:00 · 2017-03-02 21:24:05 +00:00 · 2017-03-02 21:24:05 +00:00 · b98e9df766
commit b98e9df766
parent 7066649144
2 changed files with 23 additions and 8 deletions
--- a/utils/aa-easyprof.pod
+++ b/utils/aa-easyprof.pod
@ -57,6 +57,12 @@ for supported policy groups. The available policy groups are in
 AppArmor rules or policies. They are similar to AppArmor abstractions, but
 usually encompass more policy rules.

+=item --parser PATH
+
+Specify the PATH of the apparmor_parser binary to use when verifying
+policy. If this option is not specified, aa-easyprof will attempt to
+locate the path starting with /sbin/apparmor_parser.
+
 =item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS

 Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is
--- a/utils/apparmor/easyprof.py
+++ b/utils/apparmor/easyprof.py
@ -259,14 +259,11 @@ def open_file_read(path):
    return orig


-def verify_policy(policy, base=None, include=None):
+def verify_policy(policy, exe, base=None, include=None):
    '''Verify policy compiles'''
-    exe = "/sbin/apparmor_parser"
-    if not os.path.exists(exe):
-        rc, exe = cmd(['which', 'apparmor_parser'])
-        if rc != 0:
-            warn("Could not find apparmor_parser. Skipping verify")
-            return True
+    if not exe:
+        warn("Could not find apparmor_parser. Skipping verify")
+        return True

    fn = ""
    # if policy starts with '/' and is one line, assume it is a path
@ -309,6 +306,14 @@ class AppArmorEasyProfile:
        if os.path.isfile(self.conffile):
            self._get_defaults()

+        self.parser_path = '/sbin/apparmor_parser'
+        if opt.parser_path:
+            self.parser_path = opt.parser_path
+        elif not os.path.exists(self.parser_path):
+            rc, self.parser_path = cmd(['which', 'apparmor_parser'])
+            if rc != 0:
+                self.parser_path = None
+
        self.parser_base = "/etc/apparmor.d"
        if opt.parser_base:
            self.parser_base = opt.parser_base
@ -680,7 +685,7 @@ class AppArmorEasyProfile:

        if no_verify:
            debug("Skipping policy verification")
-        elif not verify_policy(policy, self.parser_base, self.parser_include):
+        elif not verify_policy(policy, self.parser_path, self.parser_base, self.parser_include):
            msg("\n" + policy)
            raise AppArmorException("Invalid policy")

@ -823,6 +828,10 @@ def check_for_manifest_arg_append(option, opt_str, value, parser):

 def add_parser_policy_args(parser):
    '''Add parser arguments'''
+    parser.add_option("--parser",
+                      dest="parser_path",
+                      help="The path to the profile parser used for verification",
+                      metavar="PATH")
    parser.add_option("-a", "--abstractions",
                      action="callback",
                      callback=check_for_manifest_arg,