[apparmor] [patch] [4/7] Copy code to ask for adding hats to aa.py ask_the_questions()
Seth Arnold
seth.arnold at canonical.com
Tue Jan 17 23:25:31 UTC 2017
On Tue, Jan 17, 2017 at 10:15:11PM +0100, Christian Boltz wrote:
> argh, s/aa-mergeprof/aa-genprof/ here
> You are right. aa-mergeprof doesn't read the log and only takes another
> profile as input. I just noticed the bug in my question ;-)
Ah, good :)
> > In both cases, prompting the user seems like the right answer.
>
> Should it ask to
> a) add a hat
> b) a child profile
> c) offer both options and let the user choose
I like C.
>
> > Did I overlook anything?
>
> I'd add
>
> - The profile is in complain mode, and audit.log was rotated after the
> exec event (which can easily happen because null-* profiles tend to
> flood the log).
>
> Actually this is the most interesting one because aa-logprof will
> probably ask to add null-* child profiles.
Hrm. This is trouble. The last time I did a huge amount of profiling,
missing execs was the most painful bit.
> > Acked-by: Seth Arnold <seth.arnold at canonical.com>
>
> With or without the "Ignore log events for non-existing profile or child
> profile" section? ;-)
>
> (I tend to commit this patch as is, and if we want logprof and genprof
> to ask about unknown hats and child profiles, do it as a separate patch.)
Addressing new questions in future patches sounds fine.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170117/6213b607/attachment.pgp>
More information about the AppArmor
mailing list