[apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules

Steve Beattie steve at nxnw.org
Tue Apr 14 00:32:40 UTC 2015


On Tue, Apr 14, 2015 at 12:50:26AM +0200, Christian Boltz wrote:
> Hello,
> 
> Am Montag, 13. April 2015 schrieb Steve Beattie:
> > On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
> > > CleanProf.remove_duplicate_rules() didn't call
> > >   $profile['capability'].delete_duplicates()
> > > because aa-cleanprof sets same_file=True.
> > >
> > > Fix this by calling delete_duplicates(None) so that it
> > > only checks the profile against itsself.
> > > 
> > > [ 43-cleanprof-do-in-profile-run.diff ]
> > >
> > > === modified file 'utils/apparmor/cleanprofile.py'
> > > --- utils/apparmor/cleanprofile.py      2014-12-16 22:13:25 +0000
> > > +++ utils/apparmor/cleanprofile.py      2015-04-11 22:35:00 +0000
> > > @@ -67,6 +67,8 @@
> > >
> > >              #Clean the duplicates of caps in other profile
> > >              if not self.same_file:
> > >                  deleted +=
> > >self.other.aa[program][hat]['capability'].delete_duplicates(self.pro
> > >file.aa[program][hat]['capability'])
> > > +            else:
> > > +                deleted +=
> > > self.other.aa[program][hat]['capability'].delete_duplicates(None)>
> 
> > This patch does not seem to do what you claim it does:
> 
> Did you also apply 42-in-profile-deduplication.diff before testing?
> Without that, there's no in-profile deduplication (removing lines 
> covered by includes should work without patch 42).

I didn't initially (nothing in this patch description called out
that it depended on that one. However, when I tried path 42 without
patch 43 applied, the testing that I did showed that it deleted the
in-profile duplicated capability, so I'm still not clear on why this
patch is necessary.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150413/c052e793/attachment.pgp>


More information about the AppArmor mailing list