-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More Robust aa-status Output Parser #35
Conversation
@goldwynr: Care to take a look at this? |
This change does not seem to be backward compatible with Leap 15.0 apparmor. The reason I requested for a apparmor JSON version update. |
@goldwynr: Thank you for checking this. I tried to find out with what version of AppArmor that change was released, but I can't make sense of that repo; I see the commit and the merge, but I don't see any tags or a change log. I would have added a "Requires: apparmor-utils > xy" to the spec file of this YaST module, but I'd need a version number for that. |
https://build.opensuse.org/request/show/598829
So we need to require apparmor-utils >= 2.13. |
Rather than requiring apparmor-utils >= 2.13, it is more conservative to conflict with apparmor-utils < 2.13; otherwise the package will always drag in apparmor-utils and apparmor and whatnot. This might not be desirable since yast2-apparmor might be part of a some "yast stuff" sub-pattern. |
Honestly, I would like apparmor to update the version number conveyed in JSON format, namely in apparmor/utils/apparmor/ui.py where set_json_mode is called. This would allow us to be compatible with both. This is the first communication message we send across when apparmor gets a json output, namely {'dialog': 'apparmor-json-version', 'data': '2.12'} I agree this would take longer pushing apparmor guys to put a change, but it would make "inter-operability" better. Let me push that change. |
Sure, that would be the desirable solution. But we need a bugfix now. While this is not quite as elegant, it is the pragmatic approach. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to add an unit test for this? If you already have a sample JSON output it would be nice use it in some tests...
pid = pidmap["pid"] | ||
if @prof.key?(profile_name) | ||
msg = "Active process #{pid} #{executable_name}" | ||
msg += " profile name #{profile_name}" if executable_name != profile_name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
np: you can use the << operator:
msg += " profile name #{profile_name}" if executable_name != profile_name | |
msg << " profile name #{profile_name}" if executable_name != profile_name |
✔️ Public Jenkins job #10 successfully finished |
✔️ Internal Jenkins job #11 successfully finished |
BTW follow-up problem: https://bugzilla.suse.com/show_bug.cgi?id=1123258 Fix: PR #36 I.e. the new parser is robust enough to also understand the old JSON format. |
Trello
https://trello.com/c/3d3oJxcu/612-1121274-build-20190105-internal-error-when-trying-to-edit-settings-in-yast-apparrmor-module
Bugzilla
https://bugzilla.suse.com/show_bug.cgi?id=1121274
Problem
AppArmor profiles can also have a short name, not just the full path of the binary that is confined in AppArmor.
There was a recent change in Tumbleweed that appears to use that more heavily, and the old parser of this YaST AppArmor module was not quite robust enough to handle that; it would not find the correct profile anymore, and it tried to access a nonexistent hash key in the hash of all profiles, resulting in a
nil:NilClass (NoMethodError)
exception.Sample JSON output
Notice the entries for
nscd
:In
profiles
the name is justnscd
. Inprocesses
there is an entry for the/usr/sbin/nscd
executable, but the corresponding profile name is inprofile
in the hash in the list of processes.The profile
/etc/apparmor.d/usr.sbin.nscd
looks like this:I.e. there is the (optional!) name
nscd
and a shell glob pattern for the binaries that are to be confined in AppArmor.Fix
Extended the parser accordingly
Modularized the parser
Changed the output format from
--json
to--pretty-json
so it is actually human-readable, not only machine-readableAdded logging for easier future debugging
Test
On a fresh installation of the most recent Tumbleweed (from 2091-01-21), the problem was easy to reproduce.
With the fix, it's now working fine.