[apparmor] [PATCH 00/11] Tweak change_profile rule syntax to include an exec mode

Christian Boltz apparmor at cboltz.de
Thu May 26 10:40:53 UTC 2016


Am Mittwoch, 25. Mai 2016, 16:09:58 CEST schrieb Tyler Hicks:
> On 05/25/2016 03:59 PM, Tyler Hicks wrote:
> > The purpose of this patch set is to modify the change_profile rule
> > syntax to allow the policy author to specify if AT_SECURE in the
> > kernel's auxiliary vector should be set (see the getauxval man page
> > for details). The AT_SECURE value determines if libc will scrub the
> > newly executed program's environment.> 
> > See the following bug for more details:
> >   https://launchpad.net/bugs/1584069

I looked through the patchset and didn't notice any obvious errors.

> As mentioned in the bug, these changes need accompanying utils/
> updates. I haven't looked at the utils/ in quite some time and wanted
> to go ahead and get the lower level changes out for review. 

If you want to implement this, have a look at utils/apparmor/rule/
change_profile.py and utils/test/test-change_profile.py. (luckily 
change_profile is already implemented as a class, which should make the 
change easy.)

Note: change_profile log events are not handled yet. When we implement 
this, we'll probably have to add a question in aa-logprof to ask the 
user about safe vs. unsafe.

Another missing part in your patch is an update for apparmor.vim.in - 
I'll send a patch for it.

> I also
> still cannot successfully run `make check` in utils/ so I'm hesitant
> to try to make any changes to that code.

That probably counts as a bug ;-)

Can you please post the error message you see? (Maybe in a new thread to 
avoid cluttering up this patchset, or on IRC for a faster roundtrip 

Needless to say that the tests work for me, but maybe your system 
differs in some interesting[tm] details.


Christian Boltz
The former solution seems to be a lot of "monkey work", [...]
I don't think it would be viable on a long term approach. We
better succeed in the latter approach.. or buy lot of banana :)
[Rémy Marquis in opensuse-wiki]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160526/8d759d9f/attachment.pgp>

More information about the AppArmor mailing list