Created by Tyler Hicks and last modified
Get this branch:
bzr branch lp:~tyhicks/apparmor/stacking
Only Tyler Hicks can upload to this branch. If you are Tyler Hicks please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Tyler Hicks

Recent revisions

3389. By Christian Boltz

Fix wrong usage of write_prof_data in serialize_profile_from_old_profile()

write_prof_data[hat] is correct (it only contains one profile, see bug 1528139),
write_prof_data[profile][hat] is not and returns an empty (sub)hasher.


Acked-by: Kshitij Gupta <email address hidden> for trunk, 2.9 and 2.10

3388. By Tyler Hicks

parser: Clean up pivot_root target parsing

Instead of reusing opt_named_transition and be forced to reconstruct the
target path when is looks like ":odd:target", create simpler grammer
rules that have nothing to do with named transitions and namespaces.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: John Johansen <email address hidden>

3387. By Christian Boltz

Change log_dict to use profile_storage() and simplify log translation

a) change log_dict to profile_storage()

Change collapse_log() to initialize log_dict[aamode][profile][hat]
as profile_storage() instead of a hasher().

This also means path events need to go into
instead of
to match the profile_storage() layout.

b) Simplify log translation

The translation from logparser.py's output to *Rule events was more ugly
than needed. This patch removes one step.

Instead of translating log_dict to log_obj in ask_the_questions(), add
*Rule objects to log_dict and adjust ask_the_questions() to use log_dict
instead of log_obj.

This also means log_obj in ask_the_questions() is now superfluous and
can be removed.

c) Other small changes:

- use is_known_rule() instead of .is_covered() for capability events,
  which means included files are also checked now.

- remove the "if rule_obj.log_event != aamode:" check, because
  a) it depends on the content of *Rule.log_event (which means it
     ignores events with log_event != 'ALLOWING' or 'REJECTING'
  b) it's superfluous because the whole code section is wrapped in a
     "for aamode in sorted(log.dict.keys())" which means we have
     separate loops for enforce and complain mode already

Acked-by: Kshitij Gupta <email address hidden>

3386. By Christian Boltz

aa.py get_output(): raise exception on non-executable or non-existing programs

If the program specified as get_output param isn't executable or doesn't
exist at all, get_output() returns with ret = -1.

Raising an exception looks like a better option, especially because
other possible exec failures already raise an exception ("Unable to

Note: get_output is only used by get_reqs() which also does the
os.access() check for x permissions (and raises an exception), so in
practise raising an exception in get_output() doesn't change anything.

This change also allows to rewrite and simplify get_output() quite a bit.

Another minor change (and fix) is in the removal of the last line. The
old code removed the last line if output contained at least two items.
This had two not-so-nice effects:
- an empty output resulted in [''] instead of []
- if a command didn't add a \n on the last line, this line was deleted

The patch changes that to always remove the last line if it is empty,
which fixes both issues mentioned above.

Also add a test to ensure the exception is really raised, and adjust the
test that expects an empty stdout.

Acked-by: Kshitij Gupta <email address hidden>

3385. By Christian Boltz

Add tests for aa.py get_output() and get_reqs()

To make these tests independent from the underlaying system, add a
fake_ldd script that provides hardcoded ldd output for the "known"
executables and libraries.

To avoid interferences with the real system (especially symlinks), all
paths in fake_ldd have '/AATest' prepended.

Acked-by: Kshitij Gupta <email address hidden>

3384. By Christian Boltz

Add more ruletypes to the cleanprof test profiles

To ensure aa-cleanprof works as expected (and writing the rules works
as expected), add some rules for every rule class to the cleanprof.in
and cleanprof.out test profiles.

Acked-by: Kshitij Gupta <email address hidden>

3383. By Christian Boltz

Make sure 'x' log events always come with type 'exec'

According to a discussion with John on IRC, denied_mask="x" can only
happen for 'exec' log events. This patch raises an exception if John
is wrong ;-)

Acked-by: Kshitij Gupta <email address hidden>

3382. By Christian Boltz

handle_binfmt: resolve symlinks in library paths

This should happen rarely, but nevertheless it can happen - and since
AppArmor needs the symlink target in the profile, we have to resolve all

Acked-by: Kshitij Gupta <email address hidden>

3381. By Christian Boltz

Drop unused function split_name() in aa.py

Acked-by: Kshitij Gupta <email address hidden>

3380. By Christian Boltz

Prevent crash caused by serialize_profile_from_old_profile()

If a profile file contains multiple profiles and one of those profiles
contains a rule managed by a *Ruleset class,
serialize_profile_from_old_profile() crashes with an AttributeError.

This happens because profile_data / write_prof_data contain only one
profile with its hats, which explodes if a file contains multiple
profiles, as reported in lp#1528139

Fixing this would need lots of
    write_prof_data[hat] -> write_prof_data[profile][hat]
changes (and of course also a change in the calling code) or, better
option, a full rewrite of serialize_profile_from_old_profile().

Unfortunately I don't have the time to do the rewrite at the moment (I
have other things on my TODO list), and changing write_prof_data[hat] ->
write_prof_data[profile][hat] is something that might introduce more
breakage, so I'm not too keen to do that.

Therefore this patch wraps the serialize_profile_from_old_profile() call
in try/except. If it fails, the diff will include an error message and
recommend to use 'View Changes b/w (C)lean profiles' instead, which is
known to work.

Note: I know using an error message as 'newprofile' isn't an usual way
to display an error message, but I found it more intuitive than
displaying it as a warning (without $PAGER).

References: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139

Acked-by: Seth Arnold <email address hidden> for trunk and 2.10

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.