lp:~osomon/apparmor/newer-nvidia-abstraction-trunk

Created by Olivier Tilloy on 2017-03-06 and last modified on 2017-03-06
Get this branch:
bzr branch lp:~osomon/apparmor/newer-nvidia-abstraction-trunk
Only Olivier Tilloy can upload to this branch. If you are Olivier Tilloy please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Olivier Tilloy
Project:
AppArmor
Status:
Merged

Recent revisions

3646. By Olivier Tilloy on 2017-03-06

Specify device nodes instead of being too permissive.

3645. By Olivier Tilloy on 2017-03-06

Update nvidia abstraction for newer nvidia drivers.

3644. By Christian Boltz on 2017-03-03

Fix regressions caused by init_aa()

With the init_aa() patch series commited, minitools_test.py showed
several test failures - which effectively means the -d option of
aa-complain, aa-cleanprof etc. was broken.

These failures were caused by
- calling init_aa() too late in tools.py - _after_ setting the
  profiledir, which then got overwritten by init_aa()
- calling init_aa() twice (because apparmor.aa gets imported in two
  modules used by aa-cleanprof), which overwrote the manually set values
  on the second run

This patch fixes the call order in tools.py and adds a check to
init_aa() so that it only runs once and ignores additional calls.

Acked-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3643. By Christian Boltz on 2017-03-03

test-parser-simple-tests.py: No longer skip testing generated_perms_leading profiles

FileRule understands leading permissions, so the reason to skip those
(generated) test profiles in test-parser-simple-tests.py is gone.

However, the gen-xtrans.pl script generates profiles with a not-so-valid
mix of uppercase and lowercase, for example "Pux" and "Cux". The parser
accepts this, but the tools complain about such rules. Therefore add the
affected profiles to the exception list.

In total, this means we now test 319 of the 380 generated_perms_leading
test profiles.

The patch also moves some lines around to get the \-escaped profiles
out of the mixed uppercase/lowercase exec rule section.

Acked-by: Seth Arnold <email address hidden>

3642. By Tyler Hicks on 2017-03-02

utils: Fix apparmor.easyprof import in test-aa-easyprof.py

The test-aa-easyprof.py script was attempting to do its own special
setup to import the in-tree easyprof module. However, this proved to be
very flaky and resulted in the test periodically failing due to an
AttributeError the first time easyprof.parse_args() was called.

This patch removes the flakiness by trusting that PYTHONPATH is set up
appropriately before the test script is ran. PYTHONPATH is already
initialized appropriately by utils/test/Makefile according to the
USE_SYSTEM make variable.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>
Acked-by: Christian Boltz <email address hidden>

3641. By Tyler Hicks on 2017-03-02

utils: Set parser executable path according to USE_SYSTEM make variable

if USE_SYSTEM is not set, the utils make check target will instruct
test-aa-easyprof.py to provide the path of the in-tree parser executable
to aa-easyprof.

If USE_SYSTEM is set, the default parser path (/sbin/apparmor_parser or
the result of `which apparmor_parser`) is used.

The test-aa-easyprof.py script receives the parser path by checking the
__AA_PARSER environment variable. This environment variable is strictly
used by the test script and not any user-facing code so two leading
underscores were used.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Christian Boltz <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3640. By Tyler Hicks on 2017-03-02

utils: Add option to aa-easyprof to specify the apparmor_parser path

When testing against a clean system without the apparmor_parser binary
installed, the test-aa-easyprof.py script ends up skipping profile
verification because it can't find the parser binary. This even causes a
test failure due to the test_genpolicy_invalid_template_policy test.

Adding a --parser option to aa-easyprof is the first step in addressing
this problem.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Christian Boltz <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3639. By Tyler Hicks on 2017-03-02

utils: Set parser base path according to USE_SYSTEM make variable

If USE_SYSTEM is not set, the utils make check target will instruct
test-aa-easyprof.py to provide the path of the in-tree
profiles/apparmor.d directory to aa-easyprof as the parser base
directory.

If USE_SYSTEM is set, the default base directory (/etc/apparmor.d) is
used.

The test-aa-easyprof.py script receives the base path by checking the
__AA_BASEDIR environment variable. This environment variable is strictly
used by the test script and not any user-facing code so two leading
underscores were used.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Christian Boltz <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3638. By Tyler Hicks on 2017-03-02

utils: Accept parser base and include options in aa-easyprof

https://launchpad.net/bugs/1521031

aa-easyprof accepts a list of abstractions to include and, by default,
execs apparmor_parser to verify the generated profile including any
abstractions. However, aa-easyprof didn't provide the same flexibility
as apparmor_parser when it came to where in the filesystem the
abstraction files could exist.

The parser supports --base (defaulting to /etc/apparmor.d) and --Include
(defaulting to unset) options to specify the search paths for
abstraction files. This patch adds the same options to aa-easyprof to
aide in two different situations:

 1) Some Ubuntu packages use aa-easyprof to generate AppArmor profiles
    at build time. Something that has been previously needed is a way
    for those packages to ship their own abstractions file(s) that are
    #included in the easyprof-generated profile. That's not been
    possible since the abstraction file(s) have not yet been installed
    during the package build.

 2) The test-aa-easyprof.py script contains some tests that specify
    abstractions that should be #included. Without the ability to
    specify a different --base or --Include directory, the abstractions
    were required to be present in /etc/apparmor.d/abstractions/ or the
    tests would fail. This prevents the Python utils from being able to
    strictly test against in-tree code/profiles/etc.

I don't like the names of the command line options --base and --Include.
They're not particularly descriptive and the capital 'I' is not user
friendly. However, I decided to preserve the name of the options from
apparmor_parser.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Christian Boltz <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3637. By Tyler Hicks on 2017-03-02

utils: Require apparmor.aa users to call init_aa()

Introduce an apparmor.aa.init_aa() method and move the initialization
code of the apparmor.aa module into it. Note that this change will break
any external users of apparmor.aa because global variables that were
previously initialized when importing apparmor.aa will not be
initialized unless a call to the new apparmor.aa.init_aa() method is
made.

The main purpose of this change is to allow the utils tests to be able
to set a non-default location for configuration files. Instead of
hard-coding the location of logprof.conf and other utils related
configuration files to /etc/apparmor/, this patch allows it to be
configured by calling apparmor.aa.init_aa(confdir=PATH).

This allows for the make check target to use the in-tree config file,
profiles, and parser by default. A helper method, setup_aa(), is added
to common_test.py that checks for an environment variable containing a
non-default configuration directory path prior to calling
apparmor.aa.init_aa(). All test scripts that use apparmor.aa are updated
to call setup_aa().

Signed-off-by: Tyler Hicks <email address hidden>
Suggested-by: Christian Boltz <email address hidden>
Acked-by: Seth Arnold <email address hidden>
Acked-by: Christian Boltz <email address hidden>

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:apparmor/2.12
This branch contains Public information 
Everyone can see this information.

Subscribers