[apparmor] [patch] Fix handling of link events in aa-logprof

Christian Boltz apparmor at cboltz.de
Thu Jan 7 20:30:40 UTC 2016 

Hello,

Am Donnerstag, 7. Januar 2016 schrieb Seth Arnold:
> On Thu, Jan 07, 2016 at 08:53:11PM +0100, Christian Boltz wrote:
> > Fortunately the fix is easy - delete the code with the special
> > handling for 'l' events, and the remaining code that handles other
> > file permissions just works :-)

> This fix seems useful for now, but it'd be _ideal_ if the link
> operations would generate the two-argument link rules, like:
> 
> link subset /foo -> /bar,
> 
> So I'll ACK this but consider what might be involved in preparing the
> longer one..

I'm sure I'll stumble over detailed link rules while or after converting 
the handling of file rules to a FileRule class [1] ;-)

However, I'm not sure if I should create a separate LinkRule class or 
handle it in FileRule. 

I tend to think that handling it in FileRule could make sense because 
file rules with 'l' permissions and link rules can overlap, but if 
someone knows a good reason for a separate class, please speak up ;-)

For now, asking for a 'l' file rule (even if the resulting rule is a bit 
too permissive) as better than ignoring the log event - but: yes, you 
are right that on the long term having a more restrictive handling for 
link events makes sense. 

> Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks, commited.


Regards,

Christian Boltz

[1] Implementing FileRule will probably be one of the more 
    interesting[tm] ones. Especially ensuring all the proposals 
    aa-logprof offers nowadays are still available will be funny...
-- 
> ich mochte gerne fur eine unbestimte Zeit Linux von meiner
> Festplatte werfen wie mache ich das genau?  [Glenn Charpantier]
Nimm die Platte aus dem Rechner, und pack sie ganz fest mit der Hand.
Dann machst Du eine heftige Wurfbewegung, als wolltest Du die Platte
ganz weit weg werfen. [...] Wenn die Bewgeung heftig genug war, ist
Linux nun von der Platte gefallen. [Adalbert Michelic in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160107/494540b6/attachment-0001.pgp>

More information about the AppArmor mailing list