Hello,
Am Montag, 13. April 2015 schrieb Steve Beattie:
> On Tue, Apr 14, 2015 at 12:50:26AM +0200, Christian Boltz wrote:
> > Am Montag, 13. April 2015 schrieb Steve Beattie:
> > > On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
> > > > CleanProf.remove_duplicate_rules() didn't call
> > > >
> > > > $profile['capability'].delete_duplicates()
> > > >
> > > > because aa-cleanprof sets same_file=True.
> > > >
> > > > Fix this by calling delete_duplicates(None) so that it
> > > > only checks the profile against itsself.
> > > >
> > > > [ 43-cleanprof-do-in-profile-run.diff ]
> > > >
> > > > === modified file 'utils/apparmor/cleanprofile.py'
> > > > --- utils/apparmor/cleanprofile.py 2014-12-16 22:13:25
> > > > +0000
> > > > +++ utils/apparmor/cleanprofile.py 2015-04-11 22:35:00
> > > > +0000
> > > > @@ -67,6 +67,8 @@
> > > >
> > > > #Clean the duplicates of caps in other profile
> > > >
> > > > if not self.same_file:
> > > > deleted +=
> > > >
> > > >self.other.aa[program][hat]['capability'].delete_duplicates(self.
> > > >pro
> > > >file.aa[program][hat]['capability'])
> > > >
> > > > + else:
> > > > + deleted +=
> > > > self.other.aa[program][hat]['capability'].delete_duplicates(None
> > > > )>
> > >
> > > This patch does not seem to do what you claim it does:
> > Did you also apply 42-in-profile-deduplication.diff before testing?
> > Without that, there's no in-profile deduplication (removing lines
> > covered by includes should work without patch 42).
>
> I didn't initially (nothing in this patch description called out
> that it depended on that one. However, when I tried path 42 without
> patch 43 applied, the testing that I did showed that it deleted the
> in-profile duplicated capability, so I'm still not clear on why this
> patch is necessary.
The strange thing is that it's clearly necessary for me - I just tested
without it, and it didn't remove in-profile duplicates.
Note that I'm testing with all my pending patches applied [1], however I
think only patch 42 is related to cleanprof.
My test profile:
# cat usr.bin.echo
/usr/bin/echo {
audit capability chown, # drop (1)
capability dac_override, # drop
deny capability dac_override,
capability dac_override, # drop
audit capability chown, # drop (2)
deny capability chown, # drop
audit deny capability chown,
capability, # drop
audit capability,
}
Without patch 43, aa-cleanprof doesn't remove any of those rules.
With patch 43, aa-cleanprof shrinks the profile to
/usr/bin/echo {
audit deny capability chown,
deny capability dac_override,
audit capability,
}
Regards,
Christian Boltz
[1] all pending patches means:
30-logparser-change-mask-only-for-path-events.diff
31-enable-testloops-for-nosetests.diff
33-fix-add-to-variable-and-add-tests.diff
35-fix-serialize_profile_from_old_profiles-variable-add.diff
36-fix-crash-in-serialize_profile_from_old_profiles.diff
39-aatest-maxdiff.diff
41-add-baserule-tests.diff
42-in-profile-deduplication.diff
43-cleanprof-do-in-profile-run.diff
--
> > dank meiner Versionitis verwende ich längst die 10.1 ;-)
> Das Spielchen habe ich auch mitgemacht - von 6.0 bis 9.3. Nu reichts,
> man soll schließlich arbeiten mit dem Ding.
Zum Arbeiten braucht es kein unsupportetes Supplementary!
[>>Christian Boltz, > Christian Lepper & Marcus Meissner in suse-laptop]