[apparmor] GSoC review r68 and r69
Christian Boltz
apparmor at cboltz.de
Sat Sep 21 22:43:52 UTC 2013
Hello,
the review for r68 is attached - it contains some small issues and a
set of fresh bugs I found while doing some tests.
r69 passed my review without complaints ;-)
@John (and whoever else wants to answer)
I also have an interesting question about behaviour of
aa-audit /bin/ping
The profile starts with
/{usr/,}bin/ping {
so it's, strictly speaking, two profiles in one.
The interesting question is what the correct behaviour is because
besides setting the profile for /bin/ping to audit mode (expected)
it would also set the profile for /usr/bin/ping to audit mode (not expected)
OTOH, the current behaviour of aa-audit (error message saying that
/bin/ping does not exist) also is not expected and will terribly confuse
users.
What should "aa-audit /bin/ping" do in this case?
(aa-audit is just an example - the same question applies to all aa-* tools
that change profile flags.)
Regards,
Christian Boltz
--
> which camera is this?
Marcus, this is my bug :)
[Marcus Meissner and Stephan Kulow in
https://bugzilla.novell.com/show_bug.cgi?id=217731]
-------------- next part --------------
------------------------------------------------------------
revno: 68
committer: Kshitij Gupta <kgupta8592 at gmail.com
branch nick: apparmor-profile-tools
timestamp: Sat 2013-09-21 12:36:51 +0530
message:
Fixed flag reader and writer to be able to set unset flag for a specific
target program also fixed tests for mini tools to be independent of existence
of ntpd
=== modified file 'Tools/aa-complain'
--- Tools/aa-complain 2013-09-19 05:02:19 +0000
+++ Tools/aa-complain 2013-09-21 07:06:51 +0000
@@ -11,5 +11,5 @@
complain = apparmor.tools.aa_tools('complain', args)
-
+print(args)
# debugging code?
=== modified file 'apparmor/aa.py'
--- apparmor/aa.py 2013-09-20 19:38:34 +0000
+++ apparmor/aa.py 2013-09-21 07:06:51 +0000
-def get_profile_flags(filename):
+def get_profile_flags(filename, program):
# To-Do
# XXX If more than one profile in a file then second one is being ignored XXX
# Do we return flags for both or
# with the change below, the To-Do seems solved
# you'll also need to fix
# Tools/aa-genprof: apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename)
# to use two parameters
@@ -564,13 +564,17 @@
with open_file_read(filename) as f_in:
for line in f_in:
if RE_PROFILE_START.search(line):
- flags = RE_PROFILE_START.search(line).groups()[6]
- return flags
+ matches = RE_PROFILE_START.search(line).groups()
+ profile = matches[1] or matches[3]
+ flags = matches[6]
+ if profile == program:
+ return flags
raise AppArmorException(_('%s contains no profile')%filename)
# with the above change, the error message should probably be
# '%(filename)s contains no profile for %(program)s'
-def change_profile_flags(filename, flag, set_flag):
- old_flags = get_profile_flags(filename)
+def change_profile_flags(filename, program, flag, set_flag):
+ old_flags = get_profile_flags(filename, program)
+ print(old_flags)
# debugging code?
# Testing results:
# logprof doesn't expand aliases correctly:
# (sorry for the german parts, but I'm quite sure you'll understand what is happening ;-)
Profil: /{usr/,}bin/ping
Pfad: /home/sys-var/run/nscd/dbVSXZwf
Modus: r
Schweregrad: 4
[1 - /home/sys-var/run/nscd/dbVSXZwf]
2 - /home/*/run/nscd/dbVSXZwf
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
Neuen Pfad eingeben: /var/run/nscd/db*
The specified path does not match this log entry:
Log Entry: /home/sys-var/run/nscd/dbVSXZwf
Entered Path: /var/run/nscd/db*
Do you really want to use this path?
(J)a / [(N)ein]
Profil: /{usr/,}bin/ping
Pfad: /home/sys-var/run/nscd/dbVSXZwf
Modus: r
Schweregrad: 4
1 - /home/sys-var/run/nscd/dbVSXZwf
2 - /home/*/run/nscd/dbVSXZwf
[3 - /var/run/nscd/db*]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
Adding /var/run/nscd/db* r to profile
Profil: /{usr/,}bin/ping
Pfad: /home/sys-var/run/nscd/dbwvkZpy
Modus: r
Schweregrad: 4
# # cat /etc/apparmor.d/tunables/alias
# alias /var/ -> /home/sys-var/,
# alias /tmp/ -> /home/sys-tmp/,
#
# -> logprof should not ask /home/sys-var/run/nscd/dbwvkZpy because it's covered by /var/run/nscd/db* (with the alias applied)
#
# in fact, it should not ask ask for /home/sys-var/run/nscd/db* at all because the /bin/ping profile includes abstractions/nameservice
# which already contains /{,var/}run/nscd/db* rmix,
# let's write one of the changed profiles...
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /home/cb/bin/lj_make_galerie.sh]
2 - /usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread
3 - /{usr/,}bin/ping
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
# pressed 't'
Aktualisiertes Profil fÃŒr /home/cb/bin/lj_make_galerie.sh wird geschrieben.
Traceback (most recent call last):
File "aa-logprof", line 29, in <module>
apparmor.do_logprof_pass(logmark)
File "/usr/lib/python2.7/site-packages/apparmor/aa.py", line 2212, in do_logprof_pass
save_profiles()
File "/usr/lib/python2.7/site-packages/apparmor/aa.py", line 2283, in save_profiles
changed.pop(profile_name)
KeyError: '/home/cb/bin/lj_make_galerie.sh'
# and another evil testcase:
# python3 Tools/aa-audit -d Testing/profiles /bin/ping
/bin/ping does not exist, please double-check the path.
# The error message is wrong - it should say "A profile for /bin/ping does not exist, ..."
# (the file /bin/ping exists on my system)
# and of course I shouldn't even see the error message because...
# cat Testing/profiles/bin.ping
[...]
#include <tunables/global>
/{usr/,}bin/ping {
[...]
# looks like you don't handle {x,y} in the profile name yet
#
# confirmed by:
# python3 Tools/aa-audit -d Testing/profiles '/{usr/,}bin/ping'
Setting /{usr/,}bin/ping to audit mode.
None
# This is an interesting question about what is the correct behaviour because
# besides setting the profile for /bin/ping to audit mode (expected)
# it would also set the profile for /usr/bin/ping to audit mode (not expected)
# OTOH, the error message also is not expected and will confuse users.
# (you should also add some testcases in Testing/minitools_test.py for /bin/ping
# and /usr/bin/ping after we decided about the wanted behaviour)
vim:ft=diff
More information about the AppArmor
mailing list