More Robust aa-status Output Parser #35
Conversation
shundhammer
changed the title
|
@goldwynr: Care to take a look at this? |
shundhammer
changed the title
|
This change does not seem to be backward compatible with Leap 15.0 apparmor. The reason I requested for a apparmor JSON version update. |
|
@goldwynr: Thank you for checking this. I tried to find out with what version of AppArmor that change was released, but I can't make sense of that repo; I see the commit and the merge, but I don't see any tags or a change log. I would have added a "Requires: apparmor-utils > xy" to the spec file of this YaST module, but I'd need a version number for that. |
|
https://build.opensuse.org/request/show/598829
So we need to require apparmor-utils >= 2.13. |
|
Rather than requiring apparmor-utils >= 2.13, it is more conservative to conflict with apparmor-utils < 2.13; otherwise the package will always drag in apparmor-utils and apparmor and whatnot. This might not be desirable since yast2-apparmor might be part of a some "yast stuff" sub-pattern. |
|
Honestly, I would like apparmor to update the version number conveyed in JSON format, namely in apparmor/utils/apparmor/ui.py where set_json_mode is called. This would allow us to be compatible with both. This is the first communication message we send across when apparmor gets a json output, namely {'dialog': 'apparmor-json-version', 'data': '2.12'} I agree this would take longer pushing apparmor guys to put a change, but it would make "inter-operability" better. Let me push that change. |
|
Sure, that would be the desirable solution. But we need a bugfix now. While this is not quite as elegant, it is the pragmatic approach. |
| pid = pidmap["pid"] | ||
| if @prof.key?(profile_name) | ||
| msg = "Active process #{pid} #{executable_name}" | ||
| msg += " profile name #{profile_name}" if executable_name != profile_name |
There was a problem hiding this comment.
np: you can use the << operator:
| msg += " profile name #{profile_name}" if executable_name != profile_name | |
| msg << " profile name #{profile_name}" if executable_name != profile_name |
|
✔️ Public Jenkins job #10 successfully finished |
|
✔️ Internal Jenkins job #11 successfully finished |
|
BTW follow-up problem: https://bugzilla.suse.com/show_bug.cgi?id=1123258 Fix: PR #36 I.e. the new parser is robust enough to also understand the old JSON format. |
Trello
https://trello.com/c/3d3oJxcu/612-1121274-build-20190105-internal-error-when-trying-to-edit-settings-in-yast-apparrmor-module
Bugzilla
https://bugzilla.suse.com/show_bug.cgi?id=1121274
Problem
AppArmor profiles can also have a short name, not just the full path of the binary that is confined in AppArmor.
There was a recent change in Tumbleweed that appears to use that more heavily, and the old parser of this YaST AppArmor module was not quite robust enough to handle that; it would not find the correct profile anymore, and it tried to access a nonexistent hash key in the hash of all profiles, resulting in a
nil:NilClass (NoMethodError)exception.Sample JSON output
{ "version": "1", "profiles": { "/usr/bin/lessopen.sh": "enforce", "/usr/lib/apache2/mpm-prefork/apache2": "enforce", "/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI": "enforce", "/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT": "enforce", "/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo": "enforce", "/usr/lib/colord": "enforce", "/usr/lib/dovecot/anvil": "enforce", "/usr/lib/dovecot/auth": "enforce", "/usr/lib/dovecot/config": "enforce", "/usr/lib/dovecot/deliver": "enforce", "/usr/lib/dovecot/dict": "enforce", "/usr/lib/dovecot/dovecot-auth": "enforce", "/usr/lib/dovecot/dovecot-lda": "enforce", "/usr/lib/dovecot/dovecot-lda//sendmail": "enforce", "/usr/lib/dovecot/imap": "enforce", "/usr/lib/dovecot/imap-login": "enforce", "/usr/lib/dovecot/lmtp": "enforce", "/usr/lib/dovecot/log": "enforce", "/usr/lib/dovecot/managesieve": "enforce", "/usr/lib/dovecot/managesieve-login": "enforce", "/usr/lib/dovecot/pop3": "enforce", "/usr/lib/dovecot/pop3-login": "enforce", "/usr/lib/dovecot/ssl-params": "enforce", "/usr/lib/dovecot/stats": "enforce", "/usr/{bin,sbin}/dnsmasq": "enforce", "/usr/{bin,sbin}/dnsmasq//libvirt_leaseshelper": "enforce", "apache2": "enforce", "apache2//DEFAULT_URI": "enforce", "apache2//HANDLING_UNTRUSTED_INPUT": "enforce", "apache2//phpsysinfo": "enforce", "avahi-daemon": "enforce", "dovecot": "enforce", "identd": "enforce", "klogd": "enforce", "mdnsd": "enforce", "nmbd": "enforce", "nscd": "enforce", "ntpd": "enforce", "nvidia_modprobe": "enforce", "nvidia_modprobe//kmod": "enforce", "ping": "enforce", "smbd": "enforce", "smbldap-useradd": "enforce", "smbldap-useradd///etc/init.d/nscd": "enforce", "syslog-ng": "enforce", "syslogd": "enforce", "traceroute": "enforce", "winbindd": "enforce" }, "processes": { "/usr/sbin/nscd": [ { "profile": "nscd", "pid": "805", "status": "enforce" } ], "/usr/sbin/avahi-daemon": [ { "profile": "avahi-daemon", "pid": "806", "status": "enforce" } ], "/usr/lib/colord": [ { "profile": "/usr/lib/colord", "pid": "1790", "status": "enforce" } ] } }Notice the entries for
nscd:In
profilesthe name is justnscd. Inprocessesthere is an entry for the/usr/sbin/nscdexecutable, but the corresponding profile name is inprofilein the hash in the list of processes.The profile
/etc/apparmor.d/usr.sbin.nscdlooks like this:I.e. there is the (optional!) name
nscdand a shell glob pattern for the binaries that are to be confined in AppArmor.Fix
Extended the parser accordingly
Modularized the parser
Changed the output format from
--jsonto--pretty-jsonso it is actually human-readable, not only machine-readableAdded logging for easier future debugging
Test
On a fresh installation of the most recent Tumbleweed (from 2091-01-21), the problem was easy to reproduce.
With the fix, it's now working fine.