From c9a1a02c835059b47edf1a9593c78d754b26f1c0 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sat, 1 Oct 2016 20:21:06 +0200
Subject: [PATCH] [41/38] let aa-mergeprof ask about new hats and subprofiles

If a merged profile contains additional hats or subprofiles, the "old"
aa-mergeprof silently created them as additional hasher elements (partly
buggy, because subprofiles would end up as '^/subprofile' instead of
'profile /subprofile'). After switching to FileRule, aa-mergeprof crashes
on new hats or subprofiles.

This patch adds code to ask the user if the new hat or subprofile should
be added - which means this patch replaces two bugs (crash + silently
adding subprofiles and hats) with a new feature ;-)


The new questions also add a new text CMD_ADDSUBPROFILE in ui.py.

Finally, the new "button" combinations get added to test-translations.py.



If you want to test, try to aa-mergeprof this profile (the subprofile
and hat are dummies, nothing ping would really require):


#include <tunables/global>
/{usr/,}bin/ping {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,
  network inet6 raw,

  /{,usr/}bin/ping mixr,
  /etc/modules.conf r,

  ^hat {
    /bin/hat r,
    /bin/bash px,
  }

  profile /subprofile {
    /bin/subprofile r,
    /bin/bash px,
 }

  # Site-specific additions and overrides. See local/README for details.
  #include <local/bin.ping>
}



Note that this patch is not covered by unittests, but it passed all my
manual tests.



Acked-by: Steve Beattie <steve@nxnw.org>

Bug: https://launchpad.net/bugs/1507469
---
 utils/aa-mergeprof              | 35 ++++++++++++++++++++++++++++++++-
 utils/apparmor/ui.py            |  1 +
 utils/test/test-translations.py |  2 ++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/utils/aa-mergeprof b/utils/aa-mergeprof
index cde488cce..a9a5ea743 100755
--- a/utils/aa-mergeprof
+++ b/utils/aa-mergeprof
@@ -24,7 +24,7 @@ import apparmor.cleanprofile as cleanprofile
 import apparmor.ui as aaui
 
 from apparmor.aa import (add_to_options, available_buttons, combine_name, delete_duplicates,
-                         get_profile_filename, is_known_rule, match_includes,
+                         get_profile_filename, is_known_rule, match_includes, profile_storage,
                          set_options_audit_mode, propose_file_rules, selection_to_rule_obj)
 from apparmor.aare import AARE
 from apparmor.common import AppArmorException
@@ -289,6 +289,39 @@ class Merge(object):
         sev_db.load_variables(get_profile_filename(profile))
 
         for hat in sorted(other.aa[profile].keys()):
+
+            if not aa[profile].get(hat):
+                ans = ''
+                while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']:
+                    q = aaui.PromptQuestion()
+                    q.headers += [_('Profile'), profile]
+
+                    if other.aa[profile][hat]['profile']:
+                        q.headers += [_('Requested Subprofile'), hat]
+                        q.functions.append('CMD_ADDSUBPROFILE')
+                    else:
+                        q.headers += [_('Requested Hat'), hat]
+                        q.functions.append('CMD_ADDHAT')
+
+                    q.functions += ['CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED']
+
+                    q.default = 'CMD_DENY'
+
+                    ans = q.promptUser()[0]
+
+                    if ans == 'CMD_FINISHED':
+                        return
+
+                if ans == 'CMD_DENY':
+                    continue  # don't ask about individual rules if the user doesn't want the additional subprofile/hat
+
+                if other.aa[profile][hat]['profile']:
+                    aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile')
+                    aa[profile][hat]['profile'] = True
+                else:
+                    aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing hat')
+                    aa[profile][hat]['profile'] = False
+
             #Add the includes from the other profile to the user profile
             done = False
 
diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py
index 1a1d5a91d..49af11154 100644
--- a/utils/apparmor/ui.py
+++ b/utils/apparmor/ui.py
@@ -254,6 +254,7 @@ CMDS = {'CMD_ALLOW': _('(A)llow'),
         'CMD_GLOB': _('(G)lob'),
         'CMD_GLOBEXT': _('Glob with (E)xtension'),
         'CMD_ADDHAT': _('(A)dd Requested Hat'),
+        'CMD_ADDSUBPROFILE': _('(A)dd Requested Subprofile'),
         'CMD_USEDEFAULT': _('(U)se Default Hat'),
         'CMD_SCAN': _('(S)can system log for AppArmor events'),
         'CMD_HELP': _('(H)elp'),
diff --git a/utils/test/test-translations.py b/utils/test/test-translations.py
index 5a0228001..0ddd8a484 100644
--- a/utils/test/test-translations.py
+++ b/utils/test/test-translations.py
@@ -32,6 +32,8 @@ class TestHotkeyConflicts(AATest):
         (['CMD_YES', 'CMD_NO', 'CMD_CANCEL'],                                                                                               True),  # ui.py UI_YesNo() and UI_YesNoCancel
         (['CMD_SAVE_CHANGES', 'CMD_VIEW_CHANGES', 'CMD_ABORT', 'CMD_IGNORE_ENTRY'],                                                         True),  # aa-mergeprof act()
         (['CMD_ALLOW', 'CMD_ABORT'],                                                                                                        True),  # aa-mergeprof conflict_mode()
+        (['CMD_ADDSUBPROFILE', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'],                                                                    True),  # aa-mergeprof ask_the_questions() - new subprofile
+        (['CMD_ADDHAT', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'],                                                                           True),  # aa-mergeprof ask_the_questions() - new hat
     ]
 
     def _run_test(self, params, expected):