[apparmor] [PATCH] use -QTK instead of -p in easyprof's verify_policy()

Seth Arnold seth.arnold at canonical.com
Mon Jun 9 18:33:40 UTC 2014 

On Mon, Jun 09, 2014 at 01:30:01PM -0500, Jamie Strandboge wrote:
> 
> Use '-QTK' instead of '-p' in verify_policy(). '-p' only runs the preprocessor
> and is not as thorough as '-QTK' (--skip-kernel-load, --skip-read-cache,
> --skip-cache) since '-QTK' does a full compile. Like with '-p', '-QTK' can be
> run without privilege but it will catch things like conflicting 'x' modifiers
> that '-p' won't. The '-QTK' arguments are available at least as far back as
> apparmor 2.5.1 (eg, Ubuntu 10.04 LTS) with easyprof itself added much later, in
> 2012 (r2040). Note, since using -QTK does a full compile it is significantly
> slower than '-p', but that is because it is doing much more. This won't affect
> easyprof's primary consumer, click-apparmor, since aa-clickhook skips the
> easyprof verification tests (it loads (and therefore verifies) policy in a
> separate step).
> 
> Unit tests pass with the change.
> 
> Acked-By: Jamie Strandboge <jamie at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> -- 
> Jamie Strandboge                 http://www.ubuntu.com/

> Author: Jamie Strandboge <jamie at canonical.com>
> Description: use -QTK instead of -p in verify_policy(). '-p' only runs the
>  preprocessor and is not as thorough as -QTK (--skip-kernel-load,
>  --skip-read-cache, --skip-cache). Like with '-p', '-QTK' can be run without
>  privilege but it will catch things like conflictings 'x' modifiers.
> 
> Acked-By: Jamie Strandboge <jamie at canonical.com>
> === modified file 'utils/apparmor/easyprof.py'
> --- utils/apparmor/easyprof.py	2014-03-20 05:02:53 +0000
> +++ utils/apparmor/easyprof.py	2014-06-09 18:08:34 +0000
> @@ -279,7 +279,7 @@
>          os.write(f, policy)
>          os.close(f)
>  
> -    rc, out = cmd([exe, '-p', fn])
> +    rc, out = cmd([exe, '-QTK', fn])
>      os.unlink(fn)
>      if rc == 0:
>          return True
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140609/6740bac2/attachment.pgp>

More information about the AppArmor mailing list