[apparmor] [patch] aa-mergeprof: honor -d parameter

Christian Boltz apparmor at cboltz.de
Mon Aug 4 21:05:23 UTC 2014 

Hello,

Am Montag, 4. August 2014 schrieb Kshitij Gupta:
> On Wed, Jul 30, 2014 at 4:01 AM, Christian Boltz wrote:
> > Am Mittwoch, 30. Juli 2014 schrieb Kshitij Gupta:
...
> >> The current method uses all the profiles and abstractions from -d
> >> directory to process profiles. Without it the merges can vary from
> >> system to system in case users have varying abstractions or
> >> something.
> > 
> > Good question ;-)
> > 
> > Currently aa-mergeprof merges into the profile given as first
> > parameter, whereever that file is.
> > 
> > Maybe it would be a good idea to change the behaviour a bit:
> > - always merge to --dir (/etc/apparmor.d/ by default)
> > - this also means specifying the merge target (first parameter) is
> > 
> >   superfluous and can/should be removed.
> >   As a side effect, the usage would be more intuitive because you
> >   don't
> >   need to remember which parameter is the merge target. Just specify
> >   what you want to pull in, similar to "aa-logprof -f ..."
> > 
> > - and finally, it would be nice to allow an unlimited number of
> >   parameters/profiles to merge ;-)  (just run a loop over them ;-)
> 
> I need to check if this will be a trivial change or require some
> restructuring.

Some restructuring will be needed, but it doesn't look too difficult ;-)

Basically you'll need to search for all
    if merge_mode == 3
and replace them with a loop over all arguments ;-)

> > You could even do
> > 
> >     aa-mergeprof ~/newprofiles/*
> > 
> > to merge all updated profiles into their /etc/apparmor.d/
> > counterpart.
> Interesting use-case. It'd be basically like a large-scale profile
> update.

My usecase is:

I have several (web/mail/database/...) servers running, all with a very 
similar setup, and want to merge all their profiles (and later re-
distribute them to all servers).

As a side effect, this could also result in some profile updates in the 
AppArmor bzr repo ;-)

> > The only disadvantage is that this won't be a real 3-way merge.
> > The most important features of 3-way-merge are:
> > - delete rules that were removed in the "upstream"/base profile
> > - handle conflicts for *x rules
> 
> I think we have most of these features (in some capacity). You've
> probably tested the tool more than I have.

Maybe, but my tests were mostly about simple merges - I'm interested in 
adding all rules one of the involved profiles has to the merged profile, 
not in removing something.

> > I slightly doubt this is something we need. (If someone disagrees or
> > if I forgot an important usecase, please speak up ;-)

(Nobody?)

> > Nevertheless, aa-mergeprof will need a working -d/--dir parameter,
> > so
> > please also review my patch ;-)
> 
> The patch looks good.
> 
> Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.

Thanks!


Regards,

Christian Boltz
-- 
>... Bücher sind ein grässliches Medium ...
Ich schätze daran die leichte Portierbarkeit vom Sofa ins Bett.
[Bjoern Hoehrmann und Peter Bieling in dciwam]

More information about the AppArmor mailing list