[apparmor] [opensuse-project] Google Summer of Code'13 accepted student

John Johansen john.johansen at canonical.com
Mon Jun 3 20:30:38 UTC 2013

On 06/01/2013 12:12 PM, Kshitij Gupta wrote:
> Hello,
> I'm awaiting an approval for my wiki.apparmor account, meanwhile I've decided to start off with registering the ideas as blueprint on the launchpad page.
done if you haven't already discovered it

> @Christian, about saving the changes idea, do you propose a method to add a line to the profiles specifying the switch to use (save to profile/add to local/always ask) ? That could be done by simply adding a top line to each profile (maybe in a comment?), that way we dont mess with the profile and if the profile has no option we get to the default.
> Also, could you elaborate on:
>> Talking about feature ideas - it would be nice to have profile
>> modification scriptable. I'm thinking about something like
>>    aa-$toolname --profile "/usr/sbin/httpd2-prefork"  \
>>        --addhat "vhost_foo"
>>    aa-$toolname --profile "/usr/sbin/httpd2-prefork//
>> vhost_foo"  \
>>        --add '/home/foo/httpdocs/** r'
> I understand you wish to allow the user to pass entries to the profile via the command line. Now, which tool could be used for this purpose (aa-genprof or aa-easyprof?) ? and what if the user entry contradicts a previous entry? and does the tool execute after appending the profile attribute to file or does it exit with a success or failure message?
not easyprof, which is a templating tool and is supposed to be a higher level view

genprof? maybe? but my guess would be a new little cmdline front end to the shared library

generally I would think if the profile that is being edited is believed* to be loaded then it should try loading/updating the active policy unless instructed not to do so. This is the same behavior as genprof which reloads the profile after its done a run

If the entry contradicts a previous entry? Well there are only a few cases of actual conflict in policy because of rule precedence. However if there is a conflict it should be reported as an error. It might also be nice to report (warn) when an entry overlaps with another rules that makes it unnecessary (whether its completely coverd by another rule, or discarded because of a deny rule).

If there is an error it should exit with an error and a message to stderr

> After I wrote the above part did I notice that John had said something similar regarding the metatag in comments. And Seth had suggested aa-easyprof for the tool to use.
not easyprof at least not at this level. easyprof would be for a higher level add graphics, and sound, add ...

> As, Seth mentioned there is a default set of profiles and then there are the user-generated/modified profiles. Now, we could provide for a separate place to store the user generated/modified profiles and keep the default ones intact. Sometimes, the user generated profiles may screw up. (I ended up messing up my Firefox profile while playing with aa-genprof as a consequence to which my Firefox would never start-up).
Hrmmm, so there are several thoughts on this and lets say opinions differ

Having a way to specify a fall back if the current profile fails to compile may be worth while but realistically it should almost never be needed. When developing policy you have to compile it before it can be loaded, and while developing the old version remains in tact, and functioning in the kernel. So the only times that a local edit that fails to compile should cause problems is if you shutdown or the machine crashes while the local version is being edited.

Now as to how to edit/store local versions vs just dumping some additions to the current profile in a local dir. That is a packaging debate that I don't think you will be able to resolve this summer :/

More information about the AppArmor mailing list