[apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules
Kshitij Gupta
kgupta8592 at gmail.com
Sun Apr 26 16:31:26 UTC 2015
Hello,
On Sun, Apr 26, 2015 at 12:41 AM, Kshitij Gupta <kgupta8592 at gmail.com>
wrote:
> Hello,
>
> On Wed, Apr 15, 2015 at 12:34 AM, Christian Boltz <apparmor at cboltz.de>
> wrote:
>
>> Hello,
>>
>> Am Montag, 13. April 2015 schrieb Steve Beattie:
>> > On Tue, Apr 14, 2015 at 12:50:26AM +0200, Christian Boltz wrote:
>> > > Am Montag, 13. April 2015 schrieb Steve Beattie:
>> > > > On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
>> > > > > CleanProf.remove_duplicate_rules() didn't call
>> > > > >
>> > > > > $profile['capability'].delete_duplicates()
>> > > > >
>> > > > > because aa-cleanprof sets same_file=True.
>> > > > >
>> > > > > Fix this by calling delete_duplicates(None) so that it
>> > > > > only checks the profile against itsself.
>> > > > >
>> > > > > [ 43-cleanprof-do-in-profile-run.diff ]
>> > > > >
>> > > > > === modified file 'utils/apparmor/cleanprofile.py'
>> > > > > --- utils/apparmor/cleanprofile.py 2014-12-16 22:13:25
>> > > > > +0000
>> > > > > +++ utils/apparmor/cleanprofile.py 2015-04-11 22:35:00
>> > > > > +0000
>> > > > > @@ -67,6 +67,8 @@
>> > > > >
>> > > > > #Clean the duplicates of caps in other profile
>> > > > >
>> > > > > if not self.same_file:
>> > > > > deleted +=
>> > > > >
>> > > > >self.other.aa[program][hat]['capability'].delete_duplicates(self.
>> > > > >pro
>> > > > >file.aa[program][hat]['capability'])
>> > > > >
>> > > > > + else:
>> > > > > + deleted +=
>> > > > > self.other.aa[program][hat]['capability'].delete_duplicates(None
>> > > > > )>
>> > > >
>> > > > This patch does not seem to do what you claim it does:
>> > > Did you also apply 42-in-profile-deduplication.diff before testing?
>> > > Without that, there's no in-profile deduplication (removing lines
>> > > covered by includes should work without patch 42).
>> >
>> > I didn't initially (nothing in this patch description called out
>> > that it depended on that one. However, when I tried path 42 without
>> > patch 43 applied, the testing that I did showed that it deleted the
>> > in-profile duplicated capability, so I'm still not clear on why this
>> > patch is necessary.
>>
>> The strange thing is that it's clearly necessary for me - I just tested
>> without it, and it didn't remove in-profile duplicates.
>>
>> Both your test-profile (the one mentioned below) and the one Steve used
> had their duplicate rules removed by the tool in my bzr branch which had I
> pulled afresh from upstream (at revision 3018).
>
> Note: I'm testing on Kubuntu 14.10 with Python 3.4 if that matters.
>
> Upon revisiting the profiles(during discussion over IRC) and disabling the
includes from both profiles, the duplicate rules were _not_ removed from
the profile in both the sample profiles presented.
With the above mentioned patch applied the duplicate rules _were_ removed.
So, the patch looks fine to me and works for me.
Thanks for the patch.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
Regards,
Kshitij Gupta
Thanks.
>
> Regards,
>
> Kshitij Gupta
>
>
>
>> Note that I'm testing with all my pending patches applied [1], however I
>> think only patch 42 is related to cleanprof.
>>
>> My test profile:
>>
>> # cat usr.bin.echo
>> /usr/bin/echo {
>> audit capability chown, # drop (1)
>> capability dac_override, # drop
>> deny capability dac_override,
>> capability dac_override, # drop
>> audit capability chown, # drop (2)
>> deny capability chown, # drop
>> audit deny capability chown,
>> capability, # drop
>> audit capability,
>> }
>>
>> Without patch 43, aa-cleanprof doesn't remove any of those rules.
>> With patch 43, aa-cleanprof shrinks the profile to
>>
>> /usr/bin/echo {
>> audit deny capability chown,
>> deny capability dac_override,
>>
>> audit capability,
>> }
>>
>>
>> Regards,
>>
>> Christian Boltz
>>
>> [1] all pending patches means:
>> 30-logparser-change-mask-only-for-path-events.diff
>> 31-enable-testloops-for-nosetests.diff
>> 33-fix-add-to-variable-and-add-tests.diff
>> 35-fix-serialize_profile_from_old_profiles-variable-add.diff
>> 36-fix-crash-in-serialize_profile_from_old_profiles.diff
>> 39-aatest-maxdiff.diff
>> 41-add-baserule-tests.diff
>> 42-in-profile-deduplication.diff
>> 43-cleanprof-do-in-profile-run.diff
>>
>> --
>> > > dank meiner Versionitis verwende ich längst die 10.1 ;-)
>> > Das Spielchen habe ich auch mitgemacht - von 6.0 bis 9.3. Nu reichts,
>> > man soll schließlich arbeiten mit dem Ding.
>> Zum Arbeiten braucht es kein unsupportetes Supplementary!
>> [>>Christian Boltz, > Christian Lepper & Marcus Meissner in suse-laptop]
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150426/7d50622e/attachment.html>
More information about the AppArmor
mailing list