[apparmor] [patch] aa-mergeprof: honor -d parameter

Kshitij Gupta kgupta8592 at gmail.com
Tue Jul 29 20:44:28 UTC 2014 

Hello,

On Jul 29, 2014 4:39 PM, "Christian Boltz" <apparmor at cboltz.de> wrote:
>
> Hallo,
>
> while testing aa-mergeprof, I noticed that the -d/--dir parameter is
> ignored. This means the tempfile is created in /etc/apparmor.d, which
> breaks if args.merged is on another partition or aa-mergeprof is run as
> user.
>
> This is a 90% fix - it works in most cases, but still can break  if
> the "merged" profile (first paramter) is in a different directory or
> partition than what is specified in --dir.
>

As I remember it is by design to have the first parameter be "your" current
profile which will be in the directory specified by -d (which was not
working as expected though) and have it merge with a new base and other
profile.

Thus the assumption here is you want your merged profile to be in your
current directory of profiles (as specified by -d).

Do you want to be able to merge just any two profiles from anywhere? The
current method uses all the profiles and abstractions from -d directory to
process profiles. Without it the merges can vary from system to system in
case users have varying abstractions or something.

Regards,

Kshitij Gupta

> We should probably change write_profile() (in aa.py) - instead of
>     newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False,
dir=profile_dir)
> it should use the dirname of prof_filename for dir=
>
>
> === modified file 'utils/aa-mergeprof'
> --- utils/aa-mergeprof  2014-07-27 22:24:26 +0000
> +++ utils/aa-mergeprof  2014-07-29 10:34:06 +0000
> @@ -14,6 +14,7 @@
>  # ----------------------------------------------------------------------
>  import argparse
>  import re
> +import os
>
>  import apparmor.aa
>  import apparmor.aamode
> @@ -24,0 +25,0 @@
>
>  profiles = [args.mine, args.base, args.other]
>
> +profiledir = args.dir
> +if profiledir:
> +    apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
> +    if not os.path.isdir(apparmor.aa.profile_dir):
> +        raise apparmor.AppArmorException(_("%s is not a directory.")
%profiledir)
> +
>
>  def main():
>      mergeprofiles = Merge(profiles)
>
>
>
> Regards,
>
> Christian Boltz
> --
> Wenn derjenige hinterher herumjammert, "Zwar hängt jetzt das Bild, aber
> ich habe ein Loch in der Wand und ein Nagel steht hervor...", dann habe
> ich große Zweifel daran ob es so gut war, dass derjenige einen Hammer
> und Nagel in die Hand bekommen hat. [Igor Sverkos in postfixbuch-users]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140730/4efd2a56/attachment.html>

More information about the AppArmor mailing list