[15/38] Change handle_children() and ask_the_questions() to FileRule

This patch changes handle_children() (which asks about exec events) and ask_the_questions() (which asks everything else) to FileRule. This solves the "brain split" introduced by the previous patch. This means aa-logprof and aa-genprof ask useful questions again, and store the answers at the right place. In detail, this means (with '-' line number from the diff) - (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common() returns an empty result. - (484) profile_storage(): drop profile['allow']['path'] and profile['deny']['path'] - (510) create_new_profile(): switch to FileRule - (1190..1432) lots of changes in handle_children(): - drop escaping (done in FileRule) - don't add events with 'x' perms to prelog - use is_known_rule() instead of profile_known_exec() - replace several regexes for the selected CMD_* with more readable 'in' clauses. While on it, drop unused parts of the regex. - use plain 'ix', 'px' (as str) instead of str_to_mode() format - call handle_binfmt() for the interpreter in ix, Pix and Cix rules - (1652) ask_the_questions(): disable the old file-specific code (not dropped because some features aren't ported to FileRule yet) - (2336) collapse_log(): - convert file log events to FileRule (and add some workarounds and TODOs for logparser.py behaviour that needs to change) - disable the old file-specific code (not dropped because merging of existing permissions isn't ported to FileRule yet) - (2403) drop now unused validate_profile_mode() and the regexes it used - (3374) drop now unused profile_known_exec() Test changes: - adjust fake_ldd to handle /bin/bash - change test-aa.py AaTest_create_new_profile to expect FileRule instead of a path hasher. Also copy the profiles to the tempdir and load the abstractions that are needed by the test. (These tests get skipped on py2 because changing apparmor.aa.cfg['settings']['ldd'] doesn't work for some unknown reason) Important: Some nice-to-have features are not yet implemented for FileRule: - globbing - (N)ew (allowing the user to enter a custom path) - displaying and merging of permissions already existing in the profile This means: aa-logprof works, but it's not as user-friendly as before. The next patches will fix that ;-) Also note that pyflakes will fail for ask_the_questions_OLD_FILE_CODE() because of undefined symbols (aamode, profile, hat). This will be fixed when the old code gets dropped in one of the later patches. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1569316
2025-08-31 06:16:03 +00:00 · 2016-10-01 19:55:58 +02:00
parent aaa244c5ec
commit ee7560d6ef
3 changed files with 101 additions and 125 deletions
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -14,6 +14,7 @@ from common_test import AATest, setup_all_loops
 from common_test import read_file, write_file

 import os
+import shutil
 import sys

 import apparmor.aa  # needed to set global vars in some tests
@@ -111,21 +112,35 @@ class AaTest_create_new_profile(AATest):
        ('foo bar',                (None,                   None)),
    ]
    def _run_test(self, params, expected):
+        apparmor.aa.cfg['settings']['ldd'] = './fake_ldd'
+        # for some reason, setting the ldd config option does not get
+        # honored in python2.7
+        # XXX KILL when python 2.7 is dropped XXX
+        if sys.version_info[0] < 3:
+            print("Skipping on python < 3.x")
+            return
+
+        self.createTmpdir()
+
+        #copy the local profiles to the test directory
+        self.profile_dir = '%s/profiles' % self.tmpdir
+        shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
+
+        # load the abstractions we need in the test
+        apparmor.aa.profiledir = self.profile_dir
+        apparmor.aa.load_include('abstractions/base')
+        apparmor.aa.load_include('abstractions/bash')
+
        exp_interpreter_path, exp_abstraction = expected

        program = self.writeTmpfile('script', params)
        profile = create_new_profile(program)

        if exp_interpreter_path:
-            self.assertEqual(profile[program][program]['allow']['path'][exp_interpreter_path]['mode'], {'x', '::i', '::x', 'i'} )
-            self.assertEqual(profile[program][program]['allow']['path'][exp_interpreter_path]['audit'], set() )
-            self.assertEqual(profile[program][program]['allow']['path'][program]['mode'], {'r', '::r'} )
-            self.assertEqual(profile[program][program]['allow']['path'][program]['audit'], set() )
-            self.assertEqual(set(profile[program][program]['allow']['path'].keys()), {program, exp_interpreter_path} )
+            self.assertEqual(set(profile[program][program]['file'].get_clean()), {'%s ix,' % exp_interpreter_path, '%s r,' % program, '',
+                    '/AATest/lib64/libtinfo.so.* mr,', '/AATest/lib64/libc.so.* mr,', '/AATest/lib64/libdl.so.* mr,', '/AATest/lib64/libreadline.so.* mr,', '/AATest/lib64/ld-linux-x86-64.so.* mr,' })
        else:
-            self.assertEqual(profile[program][program]['allow']['path'][program]['mode'], {'r', '::r', 'm', '::m'} )
-            self.assertEqual(profile[program][program]['allow']['path'][program]['audit'], set() )
-            self.assertEqual(set(profile[program][program]['allow']['path'].keys()), {program} )
+            self.assertEqual(set(profile[program][program]['file'].get_clean()), {'%s mr,' % program, ''})

        if exp_abstraction:
            self.assertEqual(set(profile[program][program]['include'].keys()), {exp_abstraction, 'abstractions/base'})