[apparmor] [patch] [4/7] Copy code to ask for adding hats to aa.py ask_the_questions()

Seth Arnold seth.arnold at canonical.com
Tue Jan 17 20:58:03 UTC 2017 

On Sun, Jan 15, 2017 at 04:24:46PM +0100, Christian Boltz wrote:
> Hello,
> 
> $subject.
> 
> Everything below "if aamode == 'merge':" is an exact copy of the code in
> aa-mergeprof (with whitespace changed).
> 
> aa-logprof and aa-mergeprof will continue to ignore events from unknown
> hats and subprofiles.
> 
> RFC: does this make sense, or should aa-logprof and aa-mergeprof also
> ask to add hats/subprofiles it finds in audit.log?
> Note that this question already contains an interesting problem - from
> the log, we don't know if a hat or a subprofile was requested, so we can
> either ask the user or default to one of them (which one?).

You've always got the most interesting[tm] questions. :)

I'm surprised aa-mergeprof reads the logs at all. I'd expect it to merge
whatever hats are both input profiles.

aa-logprof is where things get complicated; if the profile doesn't have
any hats but the logs shows hats, there's either one of two things:

- The profile in aa-logprof is vastly out of sync with what's being
  enforced at the time of the log entries

- The profile is in learning mode rather than enforce mode, and thus the
  changehats never fail.

In both cases, prompting the user seems like the right answer.

Did I overlook anything?

Thanks

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> 
> [ 04-aa.py-ask-for-adding-hats-in-merge-mode.diff ]
> 
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py	2017-01-15 14:56:54.892510474 +0100
> +++ utils/apparmor/aa.py	2017-01-15 14:59:02.779898965 +0100
> @@ -1514,11 +1514,43 @@
>              for hat in hats:
>  
>                  if not aa[profile].get(hat).get('file'):
> -                    # Ignore log events for a non-existing profile or child profile. Such events can occour
> -                    # after deleting a profile or hat manually, or when processing a foreign log.
> -                    # (Checking for 'file' is a simplified way to check if it's a profile_storage() struct.)
> -                    debug_logger.debug("Ignoring events for non-existing profile %s" % combine_name(profile, hat))
> -                    continue
> +                    if aamode != 'merge':
> +                        # Ignore log events for a non-existing profile or child profile. Such events can occour
> +                        # after deleting a profile or hat manually, or when processing a foreign log.
> +                        # (Checking for 'file' is a simplified way to check if it's a profile_storage() struct.)
> +                        debug_logger.debug("Ignoring events for non-existing profile %s" % combine_name(profile, hat))
> +                        continue
> +
> +                    ans = ''
> +                    while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']:
> +                        q = aaui.PromptQuestion()
> +                        q.headers += [_('Profile'), profile]
> +
> +                        if log_dict[aamode][profile][hat]['profile']:
> +                            q.headers += [_('Requested Subprofile'), hat]
> +                            q.functions.append('CMD_ADDSUBPROFILE')
> +                        else:
> +                            q.headers += [_('Requested Hat'), hat]
> +                            q.functions.append('CMD_ADDHAT')
> +
> +                        q.functions += ['CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED']
> +
> +                        q.default = 'CMD_DENY'
> +
> +                        ans = q.promptUser()[0]
> +
> +                        if ans == 'CMD_FINISHED':
> +                            return
> +
> +                    if ans == 'CMD_DENY':
> +                        continue  # don't ask about individual rules if the user doesn't want the additional subprofile/hat
> +
> +                    if log_dict[aamode][profile][hat]['profile']:
> +                        aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile')
> +                        aa[profile][hat]['profile'] = True
> +                    else:
> +                        aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing hat')
> +                        aa[profile][hat]['profile'] = False
>  
>                  #Add the includes from the other profile to the user profile
>                  done = False
> 
> 
> 
> Regards,
> 
> Christian Boltz
> -- 
> > You only read the second paragraph, didn't you?
> Why do you write emails where one has to read the stuff
> between the first and the last word?
> [> Stephan Kulow and Dirk Mueller in opensuse-packaging]



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170117/043bd9a7/attachment.pgp>

More information about the AppArmor mailing list