[apparmor] Remove parent=XXXX for logging format
John Johansen
john.johansen at canonical.com
Thu Dec 8 19:17:02 UTC 2011
On 12/08/2011 09:54 AM, Seth Arnold wrote:
> Is libapparmor similarly well-behaved without the parent field?
I hope so, as genprof is using it. You can give it a try yourself
if you want. Do something along the line of
Make sure firefox doesn't have a profile
turn off printk ratelimiting (/proc/sys/kernel/printk_ratelimit)
aa-genprof firefox
run firefox
quit genprof (we where just using it to create and load the complain profile)
grep apparmor /var/log/syslog | sed 's/parent=[^ ]*//g' > log.txt
aa-logprof -f log.txt
I reran prof several times against such a log, trying different transitions.
px, cx, named. And they all seemed to work. Not saying it doesn't need more
testing but I was hoping people who want to object could do some testing and
bring up cases that it failes :)
> ------Original Message------
> From: John Johansen
> Sender: apparmor-bounces at lists.ubuntu.com
> To: apparmor
> Subject: [apparmor] Remove parent=XXXX for logging format
> Sent: Dec 8, 2011 7:17 AM
>
> I would like to propose we remove the parent=XXXX field from log messages.
> This used to be used for fork tracking when we used a single
> null-complain-profile. However we now use a unique profile name in place
> of a single null-complain-profile
>
> eg.
> profile="/usr/lib/firefox-8.0/firefox.sh//null-e2"
>
> this provides the parentage
> /usr/lib/firefox-8.0/firefox.sh
>
> and a unique instance to track against
> null-e2
>
>
> genprof/logprof where updated to support the new syntax several cycles
> ago, and I have done a quick test of using them on a log with the
> parent=XXXX field removed and everything seemed to work fine.
>
>
More information about the AppArmor
mailing list