Comparing files in .../local with the original profile files

[curiosityseeker]

I'm usually collecting rules over several days or even weeks before submitting PRs. Sometimes it's a bit tedious to check if the rules in the local file have been added to the profile in the meantime (e.g. by an added abstraction) or to clean up the local files afterwords particularly if I don't do it immediately and/or new PRs come in.

I'm using this little script to make things a bit easier:

#!/bin/bash

temphosts1=$(mktemp)
temphosts2=$(mktemp)

sedblock="
s/[[:blank:]]//g 
s/r,/  r,/ 
s/rk,/  rk,/
s/rk->/  rk -> / 
s/rw,/  rw,/ 
s/rwk,/  rwk,/ 
s/rwk->/  rwk -> /
s/rwl,/  rwl,/ 
s/rwl->/  rwl -> /
s/rwkl,/  rwkl,/ 
s/rwkl->/  rwkl -> /
s/rix,/  rix,/ 
s/rPx,/  rPx,/
s/rpx,/  rpx,/ 
s/rPUx,/  rPUx,/ 
s/w,/  w,/ 
s/wk,/  wk,/ 
s/wk->/  wk -> /
s/wl,/  wl,/ 
s/wl->/  wl -> /
s/k,/  k,/
s/k->/  k -> /
s/l,/  l,/ 
s/l->/  l -> /
"


sed "$sedblock" /etc/apparmor.d/"$1" | cat > "$temphosts1"

sed "$sedblock" /etc/apparmor.d/local/"$1" | cat > "$temphosts2"


# Replace grep with ugrep for nicer output

echo "Show identical entries in profile and local:"
echo
ug -xF -f "$temphosts1" "$temphosts2"
echo
echo "Show entries in local not present in profile:"
echo
ug -vxF -f "$temphosts1" "$temphosts2"

The usual diff tools show too much for these cases, IMO.

Needless to say that the output produced by this script is only reliable if the syntax in both files is the same, e.g. the variable names - hence, applying something like this to the local file beforehand makes probably sense. And it doesn't catch cases where new rules were added by an abstraction.

Does anybody have a more comprehensive or more straight-forward approach?

EDIT:

I'm now using difftastic. It's a simple one-liner that does what I want:

difft --display inline /etc/apparmor.d/"$1" /etc/apparmor.d/local/"$1"

[curiosityseeker]

I've modified the script to get a better output. However, strange things happen:

owner @{user_config_dirs}/kconf_updaterc.* r wk l,

Any ideas how to fix this?

[roddhjav]

Did you have a look at aa-mergeprof, it is supposed to solve this kind of issue.

[curiosityseeker]

Thanks! No, I hadn't as I had not been aware of it. Now I've tried and got an error which seems to be a similar one like this.

[curiosityseeker]

Script updated with a much simpler version which should work reliably. Again, the syntax in both files must be identical, and the script cannot detect rules in included abstractions.

[curiosityseeker]

Back to another version as the previous one didn't work when there was a different number of invisible characters before the access modes.

It should work in most cases - but there is one problem in cases with combined access modes, like:

owner/var/lib/sddm/.cache/#@{int}  r  w  k,
owner/var/lib/sddm/.cache/fontconfig/*  w  k,

As I'm a very lousy coder at best I don't know to avoid the blanks between the access modes. Anyone?

[curiosityseeker]

Post1 contains a new version which is simplified by putting the sed expressions into a variable and which is beautified using shellcheck.

The problem mentioned in the last post (blanks within combined access modes) is not yet solved. So if anyone has an idea how to do it - please give it me ;-)

[curiosityseeker]

Closing as using difftastic is a much simpler solution. See the edit in the first post.