[apparmor] [patch] [15/38] Change handle_children() and ask_the_questions() to FileRule

Steve Beattie steve at nxnw.org
Thu Sep 22 19:24:24 UTC 2016 

On Wed, Sep 21, 2016 at 10:28:04PM +0200, Christian Boltz wrote:
> as promised in
>     Re: [apparmor] [patch] utils/test/test-aa.py: skip tests that break with python2.7
> some minutes ago, here's v2:
> 
> [patch] [15/38] Change handle_children() and ask_the_questions() to FileRule
> 
> This patch changes handle_children() (which asks about exec events) and
> ask_the_questions() (which asks everything else) to FileRule. This
> solves the "brain split" introduced by the previous patch.
> 
> This means aa-logprof and aa-genprof ask useful questions again, and
> store the answers at the right place.
> 
> In detail, this means (with '-' line number from the diff)
> - (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common()
>   returns an empty result.
> - (484) profile_storage(): drop profile['allow']['path'] and
>   profile['deny']['path']
> - (510) create_new_profile(): switch to FileRule
> - (1190..1432) lots of changes in handle_children():
>   - drop escaping (done in FileRule)
>   - don't add events with 'x' perms to prelog
>   - use is_known_rule() instead of profile_known_exec()
>   - replace several regexes for the selected CMD_* with more readable
>     'in' clauses. While on it, drop unused parts of the regex.
>   - use plain 'ix', 'px' (as str) instead of str_to_mode() format
>   - call handle_binfmt() for the interpreter in ix, Pix and Cix rules
> - (1652) ask_the_questions(): disable the old file-specific code
>   (not dropped because some features aren't ported to FileRule yet)
> - (2336) collapse_log():
>   - convert file log events to FileRule (and add some workarounds and
>     TODOs for logparser.py behaviour that needs to change)
>   - disable the old file-specific code (not dropped because merging of
>     existing permissions isn't ported to FileRule yet)
> - (2403) drop now unused validate_profile_mode() and the regexes it used
> - (3374) drop now unused profile_known_exec()
> 
> Test changes:
> - adjust fake_ldd to handle /bin/bash
> - change test-aa.py AaTest_create_new_profile to expect FileRule instead
>   of a path hasher. Also copy the profiles to the tempdir and load the
>   abstractions that are needed by the test.
> 
> 
> Important: Some nice-to-have features are not yet implemented for
> FileRule:
> - globbing
> - (N)ew (allowing the user to enter a custom path)
> - displaying and merging of permissions already existing in the profile
> 
> This means: aa-logprof works, but it's not as user-friendly as before.
> The next patches will fix that ;-)
> 
> ---
> 
> v2 brings two changes to the test-aa.py part of this patch:
> - refresh the first hunk so that it can be applied again (broke by
>   Steve's 'import sys' addition)
> - skip the extended AaTest_create_new_profile on py2 because changing
>   apparmor.aa.cfg['settings']['ldd'] doesn't work for some reason
> 
> 
> [ 15-use-FileRule-in-logprof.diff ]

Phew, that's a lot of changes. FYI, the pflakes portion of the utils
tests fail with the renamed ask_the_questions() function, due to it
referencing undefined symbols (aamode, profile, hat). But I don't
think that should block committing this; therefore
Acked-by: Steve Beattie <steve at nxnw.org>. Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160922/85100318/attachment.pgp>

More information about the AppArmor mailing list