[apparmor] Profile Templating

Christian Boltz apparmor at cboltz.de
Sun Mar 27 12:52:56 UTC 2011


Am Sonntag, 27. März 2011 schrieb John Johansen:
> On 03/26/2011 03:24 PM, Christian Boltz wrote:

> > As an example: logprof always adds new rules to the main profile.
> > It should offer an option to add a rule to a include'd file.
> well not just that it would be nice if we had some smarts as to show
> when rules are common across profiles.

... and, while you are on it, if they come from an abstraction.

> >     #include content <bin.ping>
> thats and interesting idea


> > BTW: you can also "sell" the above grep command as a new shiny
> > "aa_create_abstraction_from_profile" tool *g*
> hehe, well I don't know about that, but a better way to create
> abstractions is needed and comming.  I have nearly finished enough of
> the parser work that we can use the backend to analyze policy, so
> that it can automatically show the grouping of common rules from all
> the profiles, even when the rules contain regexes.

Sounds very useful :-)

For me, the most important usecase will probably be to keep my apache 
vHosts/hats in sync without having to edit abstractions/whatever 
manually. (To be exact: updating abstractions/whatever is the smaller 
problem. Removing the now superfluous rule from all hats is what causes 
more work.)

> The idea being feed it all the profiles, and it will dump back out
> the sets with the rules for each set.

> {p1, p2, p3} {
>   /rule3 w,
> }
> This should help a lot in making abstractions.

Yes, indeed. As I wrote above, I'd like to see the following features:
- show common rules shared by several profiles or hats (that's what you 
  already wrote)
- offer the option to write all or some of the rules to an abstraction 
  file instead of the main profile.
  It should be possible to
  a) create a new abstraction file
  b) update an existing abstraction file with the new rules
- offer the option to remove all rules that are now in the abstraction
  from the main profile ("cleanup" to keep the main profile short and 
  readable). Basically it's the same thing that is already done when 
  adding an abstraction to a profile with logprof.
- The cleanup should also be available as separate command so that it 
  can be run after manual changes in the abstractions.
  Usecase: I'm using an auto-generated abstraction for each apache vhost 
  which for example includes write permissions for 
  It would be pointless if logprof changed one of those abstractions 
  because they are auto-generated (and overwritten if I re-generate 
  them), but I still need to remove rules added to the abstraction from 
  the main profile.


Christian Boltz
I understand German well. But replying in German would make
me look like Trapatonni...    [Jaime Santos in suse-laptop]

More information about the AppArmor mailing list