[apparmor] [PATCH 7/8] utils: Add option to aa-easyprof to specify the apparmor_parser path
Tyler Hicks
tyhicks at canonical.com
Wed Feb 8 22:01:44 UTC 2017
When testing against a clean system without the apparmor_parser binary
installed, the test-aa-easyprof.py script ends up skipping profile
verification because it can't find the parser binary. This even causes a
test failure due to the test_genpolicy_invalid_template_policy test.
Adding a --parser option to aa-easyprof is the first step in addressing
this problem.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Cc: Christian Boltz <apparmor at cboltz.de>
Cc: Jamie Strandboge <jamie at ubuntu.com>
---
utils/aa-easyprof.pod | 6 ++++++
utils/apparmor/easyprof.py | 25 +++++++++++++++++--------
2 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/utils/aa-easyprof.pod b/utils/aa-easyprof.pod
index 1a08408..88288b7 100644
--- a/utils/aa-easyprof.pod
+++ b/utils/aa-easyprof.pod
@@ -57,6 +57,12 @@ for supported policy groups. The available policy groups are in
AppArmor rules or policies. They are similar to AppArmor abstractions, but
usually encompass more policy rules.
+=item --parser PATH
+
+Specify the PATH of the apparmor_parser binary to use when verifying
+policy. If this option is not specified, aa-easyprof will attempt to
+locate the path starting with /sbin/apparmor_parser.
+
=item -a ABSTRACTIONS, --abstractions=ABSTRACTIONS
Specify ABSTRACTIONS as a comma-separated list of AppArmor abstractions. It is
diff --git a/utils/apparmor/easyprof.py b/utils/apparmor/easyprof.py
index 01c7fd6..c6e6932 100644
--- a/utils/apparmor/easyprof.py
+++ b/utils/apparmor/easyprof.py
@@ -259,14 +259,11 @@ def open_file_read(path):
return orig
-def verify_policy(policy, base=None, include=None):
+def verify_policy(policy, exe, base=None, include=None):
'''Verify policy compiles'''
- exe = "/sbin/apparmor_parser"
- if not os.path.exists(exe):
- rc, exe = cmd(['which', 'apparmor_parser'])
- if rc != 0:
- warn("Could not find apparmor_parser. Skipping verify")
- return True
+ if not exe:
+ warn("Could not find apparmor_parser. Skipping verify")
+ return True
fn = ""
# if policy starts with '/' and is one line, assume it is a path
@@ -309,6 +306,14 @@ class AppArmorEasyProfile:
if os.path.isfile(self.conffile):
self._get_defaults()
+ self.parser_path = '/sbin/apparmor_parser'
+ if opt.parser_path:
+ self.parser_path = opt.parser_path
+ elif not os.path.exists(self.parser_path):
+ rc, self.parser_path = cmd(['which', 'apparmor_parser'])
+ if rc != 0:
+ self.parser_path = None
+
self.parser_base = "/etc/apparmor.d"
if opt.parser_base:
self.parser_base = opt.parser_base
@@ -680,7 +685,7 @@ class AppArmorEasyProfile:
if no_verify:
debug("Skipping policy verification")
- elif not verify_policy(policy, self.parser_base, self.parser_include):
+ elif not verify_policy(policy, self.parser_path, self.parser_base, self.parser_include):
msg("\n" + policy)
raise AppArmorException("Invalid policy")
@@ -823,6 +828,10 @@ def check_for_manifest_arg_append(option, opt_str, value, parser):
def add_parser_policy_args(parser):
'''Add parser arguments'''
+ parser.add_option("--parser",
+ dest="parser_path",
+ help="The path to the profile parser used for verification",
+ metavar="PATH")
parser.add_option("-a", "--abstractions",
action="callback",
callback=check_for_manifest_arg,
--
2.7.4
More information about the AppArmor
mailing list