[apparmor] GSoC Project on new AppArmor profile development tool

Christian Boltz apparmor at cboltz.de
Fri May 3 19:43:15 UTC 2013


Hello,

Am Mittwoch, 1. Mai 2013 schrieb Seth Arnold:
> On Wed, May 01, 2013 at 05:35:03PM +0200, Christian Boltz wrote:
> > http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/kshitij8/1

> I've got a handful of concerns; I'm afraid to give them voice, because
> I do not wish to blunt enthusiasm :) 

;-)

> but this plan looks very optimistic.

;-)

> I don't recommend spending much time learning Perl. The densest of our
> Perl code will still be completely unintelligible regardless if
> you've got one week or one month Perl experience. If you've got a
> year, it'd be more approachable, but the complete lack of
> datastructures makes the code readability near zero.

This reminds me of ... - well, see non-random signature ;-)

Indeed - creating some profiles with genprof and logprof (and at the 
same time reading the audit.log and the resulting profile) is the easier 
and probably faster way to understand how genprof and logprof work.

Goal: you should be able to read an audit.log and write a profile in 
$EDITOR - at least for a simple application or script.

Nevertheless, it might be needed to read the code for some details - but 
that should be very targeted at the relevant code section.

> I'd recommend putting the profile repository at the end of the project
> -- I expect the other tools will take more time to work on. 

It is already planned in the last weeks, after the tools are finished, 
so I don't see a big problem here. (Worst case: If writing the tools 
will really takes more time, the profile repo part has to be skipped.)

> (You wouldn't want to modify the current tools to do a profile 
> repository, it just wouldn't be fun.)

Nothing is useless - it can still serve as a bad example ;-))

> The repository API may be interesting to review -- if it could be
> found again -- but there was nothing in the API that was especially
> enlightened. (It was just a simple CRUD-style application.)

Reviewing the API could indeed provide some ideas - but given the fact 
that the profile repo is disabled in the tools since years, creating a 
completely new API won't do any harm or break anything.

> It feels like it'd be nice to have some of the simpler / basic tools
> done 'sooner' than the full merging mechanism -- aa-complain,
> aa-enforce, aa-unconfined, etc., are all pretty handy little tools.
> You'll probably want them along the way. :)

Good point - they are much easier to start with than genprof and 
logprof, and some of them could also serve as a proof that the first 
code parts work.


Regards,

Christian Boltz
-- 
Perl - the only language that looks the same before and after RSA
encryption.                                       -- Keith Bostic                                                                                            



More information about the AppArmor mailing list