[apparmor] logprof / genprof - displaying profile diff

John Johansen john.johansen at canonical.com
Sat Jun 26 05:50:16 BST 2010 

On 06/25/2010 02:54 PM, Christian Boltz wrote:
> Hello,
> 
> I have a little enhancement request for logprof and genprof.
> 
> Before saving the profile, you can view the diff to the old profile. 
> That's nice, but not really useful if the profile uses hats because you 
> usually can't see in which hat the change happened.
> 
> I don't know if genprof/logprof are calling "diff" or have internal diff 
> routines. In case "diff" is called, the following options should work:
>     diff  -u -F '{[^}]*$'  old.profile new.profile
> 
> Example output:
> 
> --- /etc/apparmor.d/usr.sbin.httpd2-prefork     2010-06-20 
> 01:31:54.000000000 +0200
> +++ /tmp/usr.sbin.httpd2-prefork        2010-06-25 23:30:11.000000000 
> +0200
> @@ -468,6 +468,7 @@   ^vhost_cboltz {
>      /etc/ld.so.cache r,
>      /home/www/cboltz.de/httpdocs/cboltz.de/tmp/ rw,
>      /home/www/cboltz.de/httpdocs/tmp/ rw,
> +    /foo/bar rw,
>  
>    }
> 
> -> notice the "^vhost_cboltz {" in the line starting with @@
> 
> The regex might fail in some rare cases (the only one I can think of 
> right now: comment in the same line, with a "}" in the comment). That's 
> probably fixable with a longer regex that allows '#.*$' instead of only 
> '$' - but I'm not sure if it's worth the added complexity.
> The worst thing that can happen is that the hat name is not listed in 
> the @@ line.
> 
> 
> (Sidenote: request based on openSUSE 11.1 / AppArmor 2.3 tools)
> 
> 
Thanks Christian,

genprof is using diff and I have only run a quick test on the patch
below, but it seems to work.  I'll do some more testing before
requesting a commit.  If any one is interested in testing you can
apply it with patch -p1 /usr/share/perl5/Immunix/SubDomain.pm

--- utils/SubDomain.pm  2010-03-26 13:51:21 +0000
+++ utils/SubDomain.pm  2010-06-26 04:24:48 +0000
@@ -4389,7 +4389,7 @@
 
     my $difftmp = new File::Temp(UNLINK => 0);
     my @diff;
-    system("diff -u $oldtmp $newtmp > $difftmp");
+    system("diff -u -F '{[^}]*$' $oldtmp $newtmp > $difftmp");
     while (<$difftmp>) {
         push(@diff, $_) unless (($_ =~ /^(---|\+\+\+)/) ||
                                 ($_ =~ /^\@\@.*\@\@$/));

More information about the AppArmor mailing list