lp:~cameronnemo/apparmor/gnome-abstraction

Branch merges

Propose for merging

No branches dependent on this one.

Rejected for merging into lp:apparmor/2.12

intrigeri: Disapprove on 2017-07-03

AppArmor Developers: Pending requested 2015-06-06

Diff: 21 lines (+4/-0)

1 file modified

profiles/apparmor.d/abstractions/gnome (+4/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

3111. By Cameron Norman on 2015-06-06

abstractions/gnome: allow reading gschemas, gtk3 per-user config

3110. By Christian Boltz on 2015-06-06

Update comments in minitools_test.py

After switching to winbindd as test profile, comments about the ntpd
profile don't make sense anymore ;-)

The patch also includes some whitespace fixes.

Acked-by: Kshitij Gupta <email address hidden>
Acked-by: Steve Beattie <email address hidden>

3109. By Christian Boltz on 2015-06-06

Add tests for RlimitRule and RlimitRuleset

This time we only have 98% coverage (some missing and partial) because
I didn't find corner cases that raise some exceptions ;-)

Acked-by: Steve Beattie <email address hidden>

3108. By Christian Boltz on 2015-06-06

Add RlimitRule and RlimitRuleset classes

The class comes with the usual set of features, so I'll only mention a
special feature: the is_covered() and is_equal() functions can even
compare limits with different units (for example they recognize that
2minutes == 120seconds).

Also change RE_PROFILE_RLIMIT:
- make it a bit more strict (the old one accepted any chars, including
  spaces, for rlimit and value)
- convert it to named matches
- '<=' isn't optional - remove the '?' (but keep the parenthesis to
  avoid breaking parsing in aa.py)
- allow rules with no spaces around '<='

Acked-by: Steve Beattie <email address hidden>

3107. By Christian Boltz on 2015-06-06

split off parse_comment() from parse_modifiers()

This is needed for rule types that don't have modifiers in their regex, for
example rlimit rules.

Acked-by: Steve Beattie <email address hidden>

3106. By Christian Boltz on 2015-06-06

change aa-cleanprof to use reload_profile()

aa-cleanprof (actually clean_profile() in tools.py) used reload_base()
from aa.py which sends the parser output to /dev/null. This had two
effects:
- aa-cleanprof ignored the --no-reload parameter
- there was no error message because reload_base() /dev/null's the
  parser output

This patch changes clean_profile() to use reload_profile() from tools.py
(which honors the --no-reload option).

Also add a TODO note to aa.py reload_base(), the (AFAIK only) winner of
the 'useless use of cat' award in the AppArmor code.
We should really change it to use reload_profile(), even if that means
moving the function from tools.py to aa.py or common.py. And it should
not /dev/null the apparmor_parser output. ;-)

References: https://bugs.launchpad.net/apparmor/+bug/1443637

Acked-by: Steve Beattie <email address hidden>

3105. By Christian Boltz on 2015-06-06

Let aa-complain delete the disable symlink

aa-complain is part of the enforce/complain/disable triple. Therefore
I expect it to actually load a profile in complain mode.

To do this, it has to delete the 'disable' symlink, but set_complain()
in aa.py didn't do this (and therefore kept the profile disabled).

Acked-by: Kshitij Gupta <email address hidden>

3104. By Christian Boltz on 2015-06-06

Let aa-audit print a warning if a profile is disabled

Users might expect that setting a profile into audit mode also activates
it (which shouldn't happen IMHO because the audit flag is not part of
the enforce/complain/disable triple), so we should at least tell them.

References: https://bugs.launchpad.net/apparmor/+bug/1429448

Acked-by: Kshitij Gupta <email address hidden>

3103. By Christian Boltz on 2015-06-06

Allow aa-complain etc. to change profiles for non-existing binaries

aa-complain, aa-enforce, aa-disable and aa-audit refused to change
profiles for non-existing binaries. This patch also allows paths
starting with /. This also makes it possible to use
    aa-complain '/{usr/,}bin/ping'
and
    aa-complain /etc/apparmor.d/bin.ping

This patch fixes https://bugs.launchpad.net/apparmor/+bug/1416346

Well, mostly - we still need to decide how we handle wildcards in
profile names:
    aa-complain ping
    aa-complain /usr/bin/ping
will still error out with "Profile not found" because it isn't an exact
match (and matching the wildcard would change more than the user wants).

Oh, and this patch also fixes the last failure in minitools_test.py.

Acked-by: Steve Beattie <email address hidden> for trunk and 2.9

3102. By Christian Boltz on 2015-06-06

Fix all tests in minitools_test.py

Change minitools_test.py to use the winbind instead of the ntpd profile
for testing. The tests broke because the ntpd profile has the
attach_disconnected flag set now, and therefore didn't match the
expected flags anymore.

Also replace the usage of filecmp.cmp() in the cleanprof test with
reading the file and using assertEqual - this has the advantage that we
get a full diff instead of just "files differ".

Note: The aa-cleanprof test is still failing because of a bug in
tools.py, but will be fixed by the next patch.
See https://bugs.launchpad.net/apparmor/+bug/1416346 for details.

Acked-by: Kshitij Gupta <email address hidden>