aa-easyprof shouldn't verify existence of abstraction files during profile generation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
I don't feel like aa-easyprof should be verifying that an abstraction file exists at profile generation time. The reason is that aa-easyprof could be run as part of the package build stage, prior to the package install stage, but the abstractions specified with the --abstractions=
In other words, the existence of a system-wide abstraction doesn't need to be verified as part of the profile generation. It only needs to exist when the profile is compiled.
Current output:
$ aa-easyprof --no-verify --profile-name=foo --abstractions=DNE
ERROR: '/etc/apparmor.
Desired output:
$ aa-easyprof --no-verify --profile-name=foo --abstractions=DNE
# vim:syntax=apparmor
# AppArmor policy for foo
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###
#include <tunables/global>
# No template variables specified
profile "foo" {
#include <abstractions/base>
# Specified abstractions
#include <abstractions/DNE>
# No policy groups specified
# No read paths specified
# No write paths specified
}
This also breaks make check if the abstractions are not in /etc/apparmor.d/
Example output sniplet from make check:
ERROR: test_output_ directory_ multiple (__main__.T) ------- ------- ------- ------- ------- ------- ------- ------- ------- easyprof. py", line 2277, in test_output_ directory_ multiple output_ policy( params, dir=out_dir) 2.10/utils/ test/easyprof. py", line 672, in output_policy policy( **params) 2.10/utils/ test/easyprof. py", line 613, in gen_policy abstraction_ rule(i) ) 2.10/utils/ test/easyprof. py", line 511, in gen_abstraction _rule on("%s does not exist" % p) apparmor. d/abstractions/ gnome does not exist'
Test output_directory (multiple)
-------
Traceback (most recent call last):
File "test-aa-
easyp.
File "/tmp/apparmor-
policy = self.gen_
File "/tmp/apparmor-
s += "\n%s%s" % (prefix, self.gen_
File "/tmp/apparmor-
raise AppArmorExcepti
AppArmorException: u'/etc/