[apparmor] GSoC review r30

Christian Boltz apparmor at cboltz.de
Fri Aug 2 23:01:28 UTC 2013 

Hello,

John Johansen wrote:
> On 08/01/2013 02:59 PM, Christian Boltz wrote:

> ### a check if the hat already exists might be useful to avoid duplicate
> hat names (which might get merged on write, but I doubt that's intended
> behaviour)
>
> ### interestingly, the parser does _not_ complain about duplicate hats.
> ### John, is this a bug or intentional?
>
> That should fail, there is an explicit test for this in the parser. And in
> my quick testing I get
>
>   Multiple definitions for hat foo in profile (null) exist,bailing out.
>
> so a bug in the output but the check worked, can you forward an example
> where it is not working correctly

It happened with some "echo $whatever | apparmor_parser -p /dev/stdin"
and checking my bash history showed I accidently deleted the pipe when I
hit the so-called bug. In other words: it works as it should (and I get
the correct error message for duplicate hat names) - sorry for the false
alarm!

> +    # Below is not required I'd say
>
> ### hmm, not sure - John?
>
> +    if not do_include:
> +        for hatglob in cfg['required_hats'].keys():
> +            for parsed_prof in sorted(parsed_profiles):
> +                if re.search(hatglob, parsed_prof):
> +                    for hat in cfg['required_hats'][hatglob].split():
> +                        if not profile_data[parsed_prof].get(hat, False):
> +                            profile_data[parsed_prof][hat] = hasher()
>
> err, I am going to have to get back to you on this one. I need to dive
> in and get more context first

;-)

> ### we should discuss if we want to keep writing in sorted() order (which
> can be helpful, but also annoying)
> ### or if we want to keep the original order of a profile whenever
> possible
> ### (see discussion about writing config files)
> ### -> topic for the next meeting?
>
> I prefer original order when possible, possibly with an option to tell it
> to order and clean up the profile.

Yes, that sounds like a good method, even if it means a bit more work.
(Hint: we already do something similar when writing config files ;-)

For the clean up option - don't read the old profile while writing the new
one ;-)

> Basically it comes down to ordering
> destroys semantic/logical groupings and commenting.

Yes.


Regards,

Christian Boltz
-- 
Chance is irrelevant.  We will succeed.            -- Seven of Nine

More information about the AppArmor mailing list