[apparmor] [PATCH 00/11] Tweak change_profile rule syntax to include an exec mode
apparmor at cboltz.de
Thu May 26 10:40:53 UTC 2016
Am Mittwoch, 25. Mai 2016, 16:09:58 CEST schrieb Tyler Hicks:
> On 05/25/2016 03:59 PM, Tyler Hicks wrote:
> > The purpose of this patch set is to modify the change_profile rule
> > syntax to allow the policy author to specify if AT_SECURE in the
> > kernel's auxiliary vector should be set (see the getauxval man page
> > for details). The AT_SECURE value determines if libc will scrub the
> > newly executed program's environment.>
> > See the following bug for more details:
> > https://launchpad.net/bugs/1584069
I looked through the patchset and didn't notice any obvious errors.
> As mentioned in the bug, these changes need accompanying utils/
> updates. I haven't looked at the utils/ in quite some time and wanted
> to go ahead and get the lower level changes out for review.
If you want to implement this, have a look at utils/apparmor/rule/
change_profile.py and utils/test/test-change_profile.py. (luckily
change_profile is already implemented as a class, which should make the
Note: change_profile log events are not handled yet. When we implement
this, we'll probably have to add a question in aa-logprof to ask the
user about safe vs. unsafe.
Another missing part in your patch is an update for apparmor.vim.in -
I'll send a patch for it.
> I also
> still cannot successfully run `make check` in utils/ so I'm hesitant
> to try to make any changes to that code.
That probably counts as a bug ;-)
Can you please post the error message you see? (Maybe in a new thread to
avoid cluttering up this patchset, or on IRC for a faster roundtrip
Needless to say that the tests work for me, but maybe your system
differs in some interesting[tm] details.
The former solution seems to be a lot of "monkey work", [...]
I don't think it would be viable on a long term approach. We
better succeed in the latter approach.. or buy lot of banana :)
[Rémy Marquis in opensuse-wiki]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the AppArmor