[apparmor] [patch] Allow aa-complain etc. to change profiles for non-existing binaries

Steve Beattie steve at nxnw.org
Thu Jun 4 01:42:53 UTC 2015 

On Mon, May 25, 2015 at 05:44:20PM +0200, Christian Boltz wrote:
> aa-complain, aa-enforce, aa-disable and aa-audit refused to change
> profiles for non-existing binaries. This patch also allows paths
> starting with /. This also makes it possible to use
>     aa-complain '/{usr/,}bin/ping'
> and
>     aa-complain /etc/apparmor.d/bin.ping
> 
> 
> This patch fixes https://bugs.launchpad.net/apparmor/+bug/1416346
> 
> [ 36-allow-aa-complain-for-non-existing-binary.diff ]

Acked-by: Steve Beattie <steve at nxnw.org>

> Well, mostly - we still need to decide how we handle wildcards in
> profile names:
>     aa-complain ping
>     aa-complain /usr/bin/ping
> will still error out with "Profile not found" because it isn't an exact
> match (and matching the wildcard would change more than the user wants).
> 
> Any opinions how to handle this?

At some point we need to write a general function that takes an apparmor path
regex and converts it into a python re object, such that we can then
test a given string against it and get the answer to whether or not it
matches -- it would be useful in many locations (this issue, aa-status
detecting whether a policy should apply, etc.).

Once we had that, a possible solution would be to apply the change
above to a regex applied profile if that profile is the only one to
apply to that binary; if a non-regex match and a regex match would
both apply, update the non-regex one (since I believe that's the
one the kernel will prefer); if multiple regex matches apply then
perhaps an error is in order, but I've forgotten the semantics of
kernel behavior there.

> Oh, and this patch also fixes the last failure in minitools_test.py.
> (Should we rename it to test-minitools.py to include it in "make check"?)

I get seven failures with minitools_test.py unless I have pre-run make
in the profiles directory.

It should be using a temp dir per-test. to populate profiles into,
rather than CWD (you added infrastructure to common_test.py to make
this relatively painless), in no small part to ensure that the tests
independent of each other (ensuring that a failure in one test case to
change the state of a profile doesn't cause another test case to fail).

The calls to subprocess.check_output() should not need to use a shell.
Although, taking the cmd() function from test-aa-decode.py might be
preferred, as the output from the cmd can be reported in the test
failure, rather than just going to stderr (would need to catch
the subprocess.CalledProcessError exception to do the same with
subprocess.check_output()).

It has the same issue as test-aa.py, in that the import of aa.py
fails if /etc/apparmor is not populated. This prevents make check from
being run as part of a bootstrapping build process where portions of
apparmor have not already been installed.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150603/0ae33b4f/attachment.pgp>

More information about the AppArmor mailing list