[apparmor] [PATCH] profiles: Grant access to systemd-resolved in the nameservice abstraction

Christian Boltz apparmor at cboltz.de
Wed Oct 12 21:55:24 UTC 2016 

Hello,

Am Mittwoch, 12. Oktober 2016, 14:31:13 CEST schrieb John Johansen:
...
> atm I think I am in favor of wrapping it in the conditional and
> defaulting that conditional to false.
> 
> The ubuntu patch then changing the conditional to true. This way
> the information is being carried upstream. And only the distro
> specific tweak is out of tree.

That sounds like a good idea, but... -


If you look at utils/test/test-parser-simple-tests.py, you'll notice

    # testcases with various unexpected failures
    syntax_failure = [
    ...
       # Syntax Errors caused by boolean conditions (parse_profile_data()
       # gets confused by the closing '}')

followed by a list of all files in parser/tst/simple_tests/conditional/ - 
except those with EXRESULT FAIL because at least those fail correctly 
;-)  (actually they fail for a different reason, but hey, they fail ;-)

So if you add any boolean condition, expect aa-logprof etc. to break 
completely :-/

I'm aware of this since I wrote the test that checks against 
simple_tests, but it has low priority because nobody seems to use 
conditionals in practise. At least I never received a bugreport ;-)

Unfortunately fixing this isn't easy - the tools will probably need to 
handle a "stack" of parenthesis ("I'm inside 'if $foo'") or something 
like that. (Besides conditionals, that stack should also handle 
owner { } and audit { } blocks, and also nested child profiles.)

To make things even worse, this major code change will probably have to 
happen in an area of aa.py which is hard to cover with unit tests.


For now, a possible workaround could be to abuse variables. The upstream 
code could have something like
    @{RESOLVED_DBUS_SOCKET}=""
and Ubuntu could set it to the real dbus socket. I know this is ugly 
(and it also means not to use abstractions/dbus-strict), but it's still 
better than breaking all aa-* tools.


Regards,

Christian Boltz
-- 
Well, I guess, Stephan knows very well, what the fuzz is about: it's
about hundreds of patches, which will have to be regenerated, done as
an employment-creation measure for this lazy gang of packagers.
[Hans-Peter Jansen in opensuse-packaging]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161012/2b7ff966/attachment.pgp>

More information about the AppArmor mailing list