[apparmor] GSoC Project on new AppArmor profile development tool
Christian Boltz
apparmor at cboltz.de
Fri May 3 19:43:15 UTC 2013
Hello,
Am Mittwoch, 1. Mai 2013 schrieb Seth Arnold:
> On Wed, May 01, 2013 at 05:35:03PM +0200, Christian Boltz wrote:
> > http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/kshitij8/1
> I've got a handful of concerns; I'm afraid to give them voice, because
> I do not wish to blunt enthusiasm :)
;-)
> but this plan looks very optimistic.
;-)
> I don't recommend spending much time learning Perl. The densest of our
> Perl code will still be completely unintelligible regardless if
> you've got one week or one month Perl experience. If you've got a
> year, it'd be more approachable, but the complete lack of
> datastructures makes the code readability near zero.
This reminds me of ... - well, see non-random signature ;-)
Indeed - creating some profiles with genprof and logprof (and at the
same time reading the audit.log and the resulting profile) is the easier
and probably faster way to understand how genprof and logprof work.
Goal: you should be able to read an audit.log and write a profile in
$EDITOR - at least for a simple application or script.
Nevertheless, it might be needed to read the code for some details - but
that should be very targeted at the relevant code section.
> I'd recommend putting the profile repository at the end of the project
> -- I expect the other tools will take more time to work on.
It is already planned in the last weeks, after the tools are finished,
so I don't see a big problem here. (Worst case: If writing the tools
will really takes more time, the profile repo part has to be skipped.)
> (You wouldn't want to modify the current tools to do a profile
> repository, it just wouldn't be fun.)
Nothing is useless - it can still serve as a bad example ;-))
> The repository API may be interesting to review -- if it could be
> found again -- but there was nothing in the API that was especially
> enlightened. (It was just a simple CRUD-style application.)
Reviewing the API could indeed provide some ideas - but given the fact
that the profile repo is disabled in the tools since years, creating a
completely new API won't do any harm or break anything.
> It feels like it'd be nice to have some of the simpler / basic tools
> done 'sooner' than the full merging mechanism -- aa-complain,
> aa-enforce, aa-unconfined, etc., are all pretty handy little tools.
> You'll probably want them along the way. :)
Good point - they are much easier to start with than genprof and
logprof, and some of them could also serve as a proof that the first
code parts work.
Regards,
Christian Boltz
--
Perl - the only language that looks the same before and after RSA
encryption. -- Keith Bostic
More information about the AppArmor
mailing list