[apparmor] Changing null learning profile name and behavior

Wed Nov 19 03:43:39 UTC 2014

On 11/18/2014 05:59 PM, John Johansen wrote:
> So this was brought up again today, which reminded me of a patch I have
> been working on that changes the behavior of complain/learning mode
> around the null profile.
> 
> Currently when in complain/learning mode if an exec is done to an
> application that does not have a match an existing rule, a new subprofile
> is created with the name
> 
>   null-XXXX 
> 
> where XXXX is a unique number.
> 
> The exec transition is logged and subsequent accesses by the task are
> logged via the new name. So for example if the exec was done from profA
> the new learning profile would be named
> 
>   profA//null-XXXX
> 
> if the task confined by the profA//null-XXXX profile subsequently does
> an exec it will create a new subprofile
> 
>   profA//null-XXXX//null-YYYY
> 
> and logging will continue under this name.
> 
> This scheme had the advantage of keeping a name hierarchy and keeping
> the profile names relatively small, but it also has a couple of
> disadvantages. It looses the executable name of the application and if
> a task execs the same application multiple times each of those
> executions get a unique null-XXXX profile. Both of which make logs
> harder to understand, and in kernel duplicate error elimination less
> useful.
> 
> The patch proposes to change how the null tracking profiles are named.
> Instead of using a uniq XXXX for the profile name, it will be created
> with a name based on the application name, and if for some reason this
> name is too long the profile will fall back to the null-XXXX scheme
> 
> eg. if /bin/foo is executed from profA this will create a profile named
> 
>   /bin/foo//null-/bin/baz
> 
> and if this profile execs app /bin/bar the null sub profile would be
> 
>   /bin/foo//null-/bin/baz//null-/bin/bar
> 
> The null- prefix is retained as a hint that a given profile is a null
> learning profile (nice for human inspection of policy), and also for
> consistency with the fallback.
> 
> We could drop the use of the null- prefix for the case where the
> application name is used but I think keeping the null- prefix has value.
> 
> Any objections to the change?
> 
I think this is a fantastic idea. My only question is around the userspace tools
handling the change, but others will certainly have more informed questions.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141118/3198a249/attachment.pgp>