[apparmor] [opensuse-project] Google Summer of Code'13 accepted student

Thu May 30 18:59:47 UTC 2013

On 05/30/2013 11:31 AM, Christian Boltz wrote:
> Hello,
> 
> Am Donnerstag, 30. Mai 2013 schrieb Kshitij Gupta:
>> I believe we can discuss project related specifics on personal mails
>> and not clutter the mailing list. However, when we need reviews or
>> ideas we can get to the mailing list. :-)
> 
> I'd prefer to have everything on the apparmor mailinglist. 
> We might get more reviews or ideas (even on topics where we don't really 
> expect them ;-) ) and also better and faster answers on questions 
> because more people can answer them.
> 
> Besides that, I wouldn't call it "clutter the mailing list" ;-)
> 
> BTW: The mailinglist survived the last set of kernel patches (> 60 mails 
> + replies), so it will also survive GSoC ;-)
> 
>> 1) I'm on openSUSE 12.3 64-bit (x86_64) release. I'm actually looking
>> forward to those bindings. (too see how much they're gonna save me ;-)
> 
> I sent you the packages with private mail some hours ago. Just install 
> them and check what they provide ;-)  (Basically they are just a wrapper 
> around libapparmor.)
> (I hope the packages work with the AppArmor packages from openSUSE 12.3 
> because my version is slightly newer - if something breaks, please tell 
> me and you'll get the complete set of packages.)
> 
> If you have any questions about libapparmor or the python bindings, ask 
> on the mailinglist - libapparmor is an area I personally don't really 
> know.
> 
>> 2) From what I understand you wish to store the additions for existing
>> profiles into the local/* . From the README, it seems  the directory
>> was for that purpose (if I'm not mistaken). 
> 
> Correct - the only missing part is support in the utilities, which is 
> now on your list of wanted features ;-)
> 
> Talking about feature ideas - it would be nice to have profile 
> modification scriptable. I'm thinking about something like
> 
>     aa-$toolname --profile "/usr/sbin/httpd2-prefork"  \
>         --addhat "vhost_foo"
>     aa-$toolname --profile "/usr/sbin/httpd2-prefork//vhost_foo"  \
>         --add '/home/foo/httpdocs/** r'
> 
> Can you add this to the "nice-to-have" list?
> 
>> At the time of saving a
>> profile, the user can be presented with the same as an option for the
>> same. Any other way you'd want it implemented?
> 
> A config option (change main profile / write to local / always ask) 
> would be nice to avoid the user gets asked every time he runs logprof. 
> This also implies a commandline switch for logprof to be able to 
> override the config setting.
> 
> Maybe we should also have a way to set different defaults per profile. 
> @John, Seth, Steve: do you think this is necessary? If yes, how would 
> you implement it?
> 
necessary no, nice to have maybe.

Implementation wise there are a couple of possibilities I can come up
with without really thinking about them, and at the moment I don't really
have an opinion on them.

Perhaps a metatag in a comment stored in the profile. Of course that
might mean modifying the profile which we are trying to avoid with the
local directory because it can make package management cranky.

Or perhaps stored externally from the profile, but that makes it harder
for a user to find and change. Of course you could take the pov that it
should only be changed within the tool.

> 
> I noticed you created https://launchpad.net/~apparmor-profile-tools
> I assume you want to use that as development place, right?
> (and BTW, I changed the title from "dev" to "AppArmor profile tools" ;-)
> 
> @John: is it easily possible to move the code including version history 
> to the apparmor repo later? I'd guess it is, but I'm not familiar enough 
> with bzr...
> 
yes we will just do a merge and get everything