[apparmor] [patch] Remove pname to bin_name mapping in autodep()
kgupta8592 at gmail.com
Thu Feb 11 21:08:45 UTC 2016
On Sun, Jan 3, 2016 at 11:21 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> if autodep() is called with a pname starting with / (which can happen
> for (N)amed exec depending on the user input), this pname is mapped to
> This might look like a good idea, however if the given pname doesn't
> exist as file on-disk, autodep() returns None instead of a (mostly
> empty) profile. (Reproducer: choose (N)amed, enter "/foo/bar")
> Further down the road, this results in two things:
> a) the None result gets written as empty profile file (with only a "Last
> modified" line)
> b) a crash if someone chooses to add an abstraction to the None, because
> None doesn't support the delete_duplicates() method for obvious
> reasons ;-)
> Unfortunately this patch also introduces a regression - aa-logprof now
> fails to follow the exec and doesn't ask about the log events for the
> exec target anymore. However this doesn't really matter because of a) -
> asking and saving to /dev/null vs. not asking isn't a real difference
Where is the b)? The universe demands it!
> Actually the patch slightly improves things - it creates a profile for
> the exec target, but only with the depmod() defaults (abstractions/base)
> and always in complain mode.
> I'd prefer a patch that also creates a complete profile for the exec
> target, but that isn't as easy as fixing the issues mentioned above and
> therefore is something for the TODO list or a bugreport.
> BTW: the code that is removed with this commit was introduced in the old
> perl modules in r1097 with the not too helpful commit message
> Add new exec modes and many bug fixes
> therefore I can't tell what the idea behind it was - any ideas?
> I propose this patch for trunk, 2.10 and 2.9.
> (2.9 "only" writes an empty file and doesn't crash - but writing an empty
> profile is still an improvement)
> I also won't complain if someone comes up with a better patch that
> follows the exec, asks for all events and creates the full profile.
> Damn! Some explanation for removing 2 lines of code ;-)
> [ 61-autodep-remove-pname-bin_name-mapping.diff ]
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2016-01-03 16:31:01.336411176 +0100
> +++ utils/apparmor/aa.py 2016-01-03 16:47:43.205831925 +0100
> @@ -665,8 +665,6 @@
> def autodep(bin_name, pname=''):
> bin_full = None
> global repo_cfg
> - if not bin_name and pname.startswith('/'):
> - bin_name = pname
> if not repo_cfg and not cfg['repository'].get('url', False):
> repo_conf = apparmor.config.Config('shell', CONFDIR)
> repo_cfg = repo_conf.read_config('repository.conf')
> Thanks for the patch.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>
for trunk, 2.10 and 2.9(if you feel necessary).
> Christian Boltz
> Und weshalb nicht vorerst weiterhin sysvinit benutzen? systemd
> ist so frisch und appetitlich wie ein dampfender Kuhfladen. ;)
> [Lars Müller in opensuse-de]
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AppArmor