[apparmor] [patch] aa-mergeprof: honor -d parameter
Kshitij Gupta
kgupta8592 at gmail.com
Mon Aug 4 17:46:45 UTC 2014
Hello,
On Wed, Jul 30, 2014 at 4:01 AM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> Am Mittwoch, 30. Juli 2014 schrieb Kshitij Gupta:
>> As I remember it is by design to have the first parameter be "your"
>> current profile which will be in the directory specified by -d
>
> Well, the current syntax allows the profile to be anywhere, independent
> of -d ;-)
>
>> (which was not working as expected though) and have it merge with a
>> new base and other profile.
>>
>> Thus the assumption here is you want your merged profile to be in your
>> current directory of profiles (as specified by -d).
>>
>> Do you want to be able to merge just any two profiles from anywhere?
>> The current method uses all the profiles and abstractions from -d
>> directory to process profiles. Without it the merges can vary from
>> system to system in case users have varying abstractions or
>> something.
>
> Good question ;-)
>
> Currently aa-mergeprof merges into the profile given as first parameter,
> whereever that file is.
>
> Maybe it would be a good idea to change the behaviour a bit:
> - always merge to --dir (/etc/apparmor.d/ by default)
> - this also means specifying the merge target (first parameter) is
> superfluous and can/should be removed.
> As a side effect, the usage would be more intuitive because you don't
> need to remember which parameter is the merge target. Just specify
> what you want to pull in, similar to "aa-logprof -f ..."
> - and finally, it would be nice to allow an unlimited number of
> parameters/profiles to merge ;-) (just run a loop over them ;-)
>
I need to check if this will be a trivial change or require some restructuring.
> So basically instead of
> aa-mergeprof /etc/apparmor.d/bin.foo ~/newprofiles/bin.foo
> you could just call
> aa-mergeprof ~/newprofiles/bin.foo
>
> You could even do
> aa-mergeprof ~/newprofiles/*
> to merge all updated profiles into their /etc/apparmor.d/ counterpart.
Interesting use-case. It'd be basically like a large-scale profile update.
>
>
> The only disadvantage is that this won't be a real 3-way merge.
> The most important features of 3-way-merge are:
> - delete rules that were removed in the "upstream"/base profile
> - handle conflicts for *x rules
I think we have most of these features (in some capacity). You've
probably tested the tool more than I have.
> I slightly doubt this is something we need. (If someone disagrees or if
> I forgot an important usecase, please speak up ;-)
>
>
> Nevertheless, aa-mergeprof will need a working -d/--dir parameter, so
> please also review my patch ;-)
>
The patch looks good.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
Regards,
Kshitij Gupta
>
> Regards,
>
> Christian Boltz
> --
> Das hier ist eine Anfängerliste.
> Ich will Dir auch erklären warum:
> Den 'Linux Profi' gibt es IMHO nicht.
> [Bernd Obermayr in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list