If both the --local commandline option and use_local_profiles
configuration are specified, the commandline now takes precedence.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
aa-notify configuration now supports use_local_profiles, and this option
is documented in the manual.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
The new option --local allows user to write new rules to local profiles
instead of system profiles, enabling cleaner profile deployment.
This option support the values (yes, no and auto)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This patch allows writing write in include files and save them to disk.
This is particularly helpful for local includes (generally used in
profiles through `include if exists <local/foo>`), and keeps the base
profile clean, avoiding breakages when the system updates profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Add support for change_onexec logs by converting them to change_profile.
Fix associated test.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1745
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
import tkinter does not automatically import tkinter.font so calls to
the latter fail if the execution environment does not already contains
it.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Profiles are now updated only at initialization and when aa-notify
itself updates a profile.
A future MR will come to read profiles individually only when an event
for this profile comes to reduce overhead, as more and more profiles are
created.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Those messages appear in various context and do not provide any useful feedback to the user, diverging from UNIX philosophy of staying quiet when there's nothing of importance to say.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1738
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that priority=0 matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.
While at it, enable the tests for abi and include rules.
In the past, this class and function were used by test-signal_parse.py -
which was deleted in April 2016 (5f58d7f124139784b9ba70ce37cc26716bbc4e0f).
Maybe there were also other users, but none of them survived.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1719
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
In the past, this class and function were used by test-signal_parse.py -
which was deleted in April 2016 (5f58d7f124139784b9ba70ce37cc26716bbc4e0f).
Maybe there were also other users, but none of them survived.
... but don't get a new value assigned.
Found by pyflakes 3.3.2 / python 3.13.3
While on it, remove some obsolete, commented out debugging code.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1708
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Parsing mount options (also) accepted partial matches as long as the
option started with the right characters. For example, 'options=syncfoo'
was parsed as 'sync'. This is also the reason why the list of mount
options was re-ordered so that 'r' and 'w' came last to give longer
options a chance to match (otherwise, 'rw' would be interpreted as 'r').
Fix parsing by adding a lookahead match so that the regex enforces that
the mount option is followed by whitespace, or is at the end of
rule_details.
Note that this issue only affected the options=foo syntax.
options=(foo) worked correctly even without this fix.
Now that this is fixed, move 'r' and 'w' back to their original position
in the list of mount options.
Also add a test where a mount rule ends with 'options=rw,' to ensure
that the '$' lookahead works.
Parsing `mount options=x` results in "Passed unknown options keyword to
MountRule: x", while parsing `mount options=xy` results in "Can't parse mount rule".
This difference happens because the code checks (besides the list of
known options) for a regex `([A-Za-z0-9])` which only matched a
single-character unknown option.
Change that regex to also match multiple characters, and also allow to
match `-` (used in some known mount options, so it's likely that it also
gets used in so far unknown mount options)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1710
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Parsing `mount options=x` results in "Passed unknown options keyword to
MountRule: x", while parsing `mount options=xy` results in "Can't parse mount rule".
This difference happens because the code checks (besides the list of
known options) for a regex `([A-Za-z0-9])` which only matched a
single-character unknown option.
Change that regex to also match multiple characters, and also allow to
match `-` (used in some known mount options, so it's likely that it also
gets used in so far unknown mount options)
The whole pattern already has `(...)*`, therefore there's no need to
make option_pattern optional.
Before this change, mount_condition_pattern could have matched
- on empty strings (it still can, thanks to the trailing `*` which can
also mean "zero matches") or
- whitespace-only strings (which is covered by the two regexes using
mount_condition_pattern - they both have `\s*` and/or `\s+` around it)
Improve #LOGPROF-SUGGEST metadata to support a set of space-separated
regexes. If this tag is present, the abstraction is only proposed to
aa-logprof if one of the regexes is matched.
If this abstraction should not be proposed to any profile, it is
possible to tell #LOGPROF-SUGGEST: no
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
The new option --show-matching-path shows a path that matches in the host
filesystem, to prove that the profile is indeed used.
Also, profiles' xattrs are now parsed into a dict and are taken in
consideration when looking for matching profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Many test provide their own implementation of cmd(). This commit makes
all of them rely on common.py implementation of cmd()
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Introduce aa-show-usage, a new helper allowing to determine which
profiles on the system are used and which are not. A profile is marked as
used when at least one file installed in the machine matches the attach point
specified in the profile.
This tool supports filtering options, allowing users to, for example,
display only unconfined profiles that are currently in use. This can
notably help sysadmins to evaluate the security of their systems.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
The tools don't support having multiple options specified in mount
rules as it is allowed in the parser.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
