[apparmor] [PATCH] use -QTK instead of -p in easyprof's verify_policy()

Jamie Strandboge jamie at canonical.com
Mon Jun 9 18:30:01 UTC 2014

Use '-QTK' instead of '-p' in verify_policy(). '-p' only runs the preprocessor
and is not as thorough as '-QTK' (--skip-kernel-load, --skip-read-cache,
--skip-cache) since '-QTK' does a full compile. Like with '-p', '-QTK' can be
run without privilege but it will catch things like conflicting 'x' modifiers
that '-p' won't. The '-QTK' arguments are available at least as far back as
apparmor 2.5.1 (eg, Ubuntu 10.04 LTS) with easyprof itself added much later, in
2012 (r2040). Note, since using -QTK does a full compile it is significantly
slower than '-p', but that is because it is doing much more. This won't affect
easyprof's primary consumer, click-apparmor, since aa-clickhook skips the
easyprof verification tests (it loads (and therefore verifies) policy in a
separate step).

Unit tests pass with the change.

Acked-By: Jamie Strandboge <jamie at canonical.com>

Jamie Strandboge                 http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-easyprof-thorough-policy-verify.patch
Type: text/x-patch
Size: 749 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140609/f386c6f8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140609/f386c6f8/attachment.pgp>

More information about the AppArmor mailing list