Add profile linter #607
Add profile linter #607
Conversation
tests/profile_check.py
Outdated
| def readApparmorFile(fullpath): | ||
| '''AA file could contain multiple AA profiles''' | ||
| headers = ( | ||
| '# AppArmor.d - Full set of apparmor profiles', |
There was a problem hiding this comment.
Modernize the name? (apparmor.d -> AppArmor.d)
There was a problem hiding this comment.
I would rather not. apparmor.d refers to /etc/apparmor.d not to AppArmor. Plus I don't want to have to update all headers (again).
|
Nice work thanks a lot. It is really useful to have you working on this. I think that for now, your current structure will do it. Ideally (later), it would be nice to provide a proper I think the implementation of I am going to create a new issue where we can discuss both the structure of the linter and the list of checks it should implement. |
|
When I run the script over the profiles with That does not sound normal... Suggesting |
tests/profile_check.py
Outdated
| try: | ||
| from apparmor.regex import * | ||
| from apparmor.aa import is_skippable_file | ||
| from apparmor.rule.file import FileRule, FileRuleset | ||
| from apparmor.common import convert_regexp | ||
| try: | ||
| from apparmor.rule.variable import separate_vars | ||
| except ModuleNotFoundError: | ||
| from apparmor.aa import separate_vars | ||
|
|
||
| except ModuleNotFoundError: | ||
| raise ModuleNotFoundError(f"""Can't find 'python3-apparmor' package! Install with: | ||
| $ sudo apt install python3-apparmor""") |
There was a problem hiding this comment.
This should be move outside the main with other import.
See, for example: https://github.com/roddhjav/pass-import/blob/19805430712d3b8b82f58373e3771d21bbe1fa64/pass_import/formats/kdbx.py#L10-L16
Then in the main: https://github.com/roddhjav/pass-import/blob/19805430712d3b8b82f58373e3771d21bbe1fa64/pass_import/formats/kdbx.py#L216
That was because of trailing '\n'. What would be the policy - add to suggestion or remove from the line?
Should I remove it? Also I don't understand why your filename isn't an absolute path. |
|
We don't care if the vim syntax has a trailing line, so remove it. To be more precise, this is:
It is a full path, I manually anonymized the data. |
I don't think that's possible while preserving the check. Each line in file have trailing
Then you should delete the comment entirely because of edit history. UPD: on the other hand, it would be better to obscure it: for m in messages:
if m.get('suggestion'):
if m['suggestion'].endswith('\n'):
m['suggestion'] = m.get('suggestion').removesuffix('\n') |
| # Ensure singular '@{exec_path}' | ||
| if not gotAttach: | ||
| messages.append({'filename': fullpath, | ||
| 'profile': None, | ||
| 'severity': 'WARNING', | ||
| 'line': None, | ||
| 'reason': "'@{exec_path}' must be defined as main path attachment", | ||
| 'suggestion': None}) |
There was a problem hiding this comment.
Should we ignore orphan profiles like apparmor.d/groups/children/? (in future PRs)
There was a problem hiding this comment.
Yes, they will have to be ignored.
There was a problem hiding this comment.
profiles-m-r/pam_roles move to profiles-m-r/pam/ and also exclude?
|
Thanks, merged! For future PR, try to follow the same architecture as yamllint. |
Abstractions/tunables checks weren't done, they will take a while.
I don't know how you want to integrate it, so leaving it up to you. As well as applying the suggestions (or tell me how you see it being handled).
I will work in the same direction, after 3 weeks.
Related #570