[apparmor] Hat declarations

Christian Boltz apparmor at cboltz.de
Sun Jun 7 12:14:23 UTC 2015


Am Samstag, 6. Juni 2015 schrieb John Johansen:
> On 06/06/2015 05:17 PM, Christian Boltz wrote:
> > are hat declarations like
> > 
> > /foo {
> >   ^hat,
> > }
> > 
> > still allowed/valid? The tools accept them, but the 2.9.2 parser
> > errors out with   unexpected TOK_END_OF_RULE, expecting TOK_OPEN
> Interesting question. How about maybe?


> In actual fact there is no need for a hat rule anymore, the flag is
> carried on the profile and not in the profile rules.
> The hat rules where added in 2.3 for external hats, but there were
> several issues around them, and they got largely ripped out in favor
> of just using a flag on the profile.
> The ability to parse the rule was kept around so that the update
> wouldn't out right break peoples policy. At some point our
> refactoring has done away with this vestigial rule. And no one has
> complained, so I would say no, not anymore.

Sounds like I {c,sh}ould change the tools to ignore them (and maybe 
print a warning)...

I'll send a patch in a minute.

> > Oh, and I found all this while hunting down another bug ;-)
> > 
> > To make things more interesting, that other bug crashes aa-cleanprof
> > 80% of the time, but it works well 20% of the time with exactly the
> > same profile directory.
> > 
> > The test profile is attached to this mail. Store it in an empty
> > directory, add symlinks to abstractions and tunables and run (using
> > latest bzr trunk of course)
> > 
> >     python3 aa-cleanprof -d /your/test/directory/   /usr/sbin/sshd
> > 
> > Questions are:
> > - can you reproduce the crash? (should be easy)
> > - does it work sometimes? (as in "you can view the changes")
> > - most interesting (and difficult) question: WHY doesn't it crash
> > 20%
> > 
> >   of the time? (Try to find this out only if you have some free time
> >   ;-)> 
> > On the positive side, I'm just testing a (quite intrusive, sorry)
> > patch that fixes it in 100% of the time :-)
> no idea but I will play and report back

Don't spend too much time on it ;-) It is an interesting[tm] issue 
(especially because it crashes only 80% of the time, and I'm not aware 
of any /dev/random usage in the tools ;-) and I'm also interested if the 
20% non-crash is reproducable for others.

OTOH, I already have a patch nearly ready, so don't invest hours to find 
out why it doesn't crash in 20% of the cases ;-)  (I know what causes 
the crash, but I don't know why it sometimes doesn't crash.)


Christian Boltz
> Wo ist der Unterschied Voip / ISDN
Das merkst du, wenn dein Internet-Anschluss ausfällt und du den Provider
anrufen willst, um zu fragen, wann denn der Anschluss entstört wird...
[> Luzius und Sandy Drobic in opensuse-de]

More information about the AppArmor mailing list