[apparmor] aa-enabled

Christian Boltz apparmor at cboltz.de
Tue Nov 24 23:03:01 UTC 2015 

Hello,

Am Dienstag, 24. November 2015 schrieb John Johansen:
> On 11/22/2015 07:20 AM, Christian Boltz wrote:
> > To allow a smooth transition, I propose to add a little aa-enabled
> > tool to 2.9 and 2.10 which just does
> > 
> >     #!/bin/sh
> >     exec aa-status --enabled
> 
> hrmmm, this certainly doesn't solve the problem, and hardly seems

Depends how you define the problem ;-)

IMHO it is "calling aa-status --enabled" (especially when done from 
dh_apparmor and similar packaging helpers), and that can be solved by 
such a wrapper. (Getting dh_apparmor changed might be harder than 
getting a new AppArmor version in.) 
However...

> worth doing as a backport. If we were to pull anything back to 2.9 or
> 2.10 I think I would rather the bash script or ideally a simple C
> program so there are no interpreter dependencies to worry about.

... I won't object if we backport the "real" aa-enabled ;-)

> > This means Debian and Ubuntu can switch dh_apparmor etc. to use
> > aa-enabled instead of aa-status --enabled _now_ (assuming it fits
> > for
> > them) instead of having to wait for a major AppArmor release. This
> > allows a longer migration period.
> 
> sure they could switch now, but such a change isn't going to show up
> in the current releases. It will only be dropped into new ones

Of course it will only be changed for new releases, but I'd guess 
getting a minor release in is easier shortly before a distribution  
release.

> > For trunk, I propose aa-enabled should actually do the work itsself
> > -
> > see the "Re: [apparmor] [patch] utils: make aa-status(8) function
> > without python3-apparmor" mail for a proposal.
> 
> I agree it should do it itself, and I counter with the following C
> program
> 
> ---
> 
> #include <errno.h>
> #include <stdio.h>
> #include <sys/apparmor.h>
> 
> int main(int argc, char **argv)
> {
> 	if (aa_is_enabled()) {
> 		printf("Y");
> 		return 0;
> 	}
> 	printf("N");
> 	return errno;
> }

Nice trick - you are using libapparmor to hide most of the code ;-)
(that's not really bad because it avoids code duplication, but makes the 
comparison a bit unfair ;-)

Oh, and the C code has a bug - like aa-status --enabled, aa-enabled 
should only set the exitcode, but not print anything.

Anyway, I can live with both solutions as long as we get aa-enabled 
added ;-)


Regards,

Christian Boltz
-- 
Über den Autor Marcus Meissner:
Marcus Meissner entwickelt seit über 10 Jahren Opensource Entwickler.
[gefunden auf http://www.linuxtag.org/2007/de/conf/events/vp-mittwoch/vortragsdetails.html?talkid=40]

More information about the AppArmor mailing list