[apparmor] [PATCH] utils: Don't check for existence of abstraction files in aa-easyprof
Tyler Hicks
tyhicks at canonical.com
Mon Nov 30 23:15:05 UTC 2015
On 2015-11-30 14:14:07, Jamie Strandboge wrote:
> On 11/29/2015 10:28 PM, Tyler Hicks wrote:
> > aa-easyprof is used to generate profiles and the lack of an abstraction
> > file during profile generation should not be an error condition.
> >
> Why? Or put another way-- why is it any different than a policy group? Is this
> just because the parser knows how to deal with it?
This patch came about because I was working on some packaging for
something that ships a new abstraction file and uses aa-easyprof to
generate a new profile using the new abstraction file at build time.
aa-easyprof only looks in /etc/apparmor.d/abstraction/ for abstractions
specified in the manifest file and, since aa-easyprof is invoked during
package build, the new abstraction file is not yet installed.
An alternative would be to add a new flag to aa-easyprof to specify an
additional location to search for abstractions.
Would adding an --include-abstractions-dir option be preferred instead
of dropping the existence check?
> > Leave the handling of the abstraction file for the parser. It will fail
> > if the file does not exist when the profile is being compiled.
> >
> > https://launchpad.net/bugs/1521031
> >
> However, the parser won't be able to give as nice of an error message.
I don't think aa-easyprof's simplistic error message improves the
situation all that much:
AppArmor parser error for /tmp/test in /tmp/test at line 15: Could not open 'abstractions/DNE'
versus
ERROR: '/etc/apparmor.d/abstractions/mapplauncherd-booster does not exist'
> It should be noted that by default easyprof will run
> apparmor_parser -QTK to verify the generated profile. If people want
> this change, perhaps it would make sense to only skip the check if
> given --no-verify (idea being, when verifying we can give better
> feedback).
Good point. I was using --no-verify.
Tyler
>
> --
> Jamie Strandboge http://www.ubuntu.com/
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151130/bd75da1e/attachment.pgp>
More information about the AppArmor
mailing list