[apparmor] [PATCH] aa-keywords: Expose parser keywords

Goldwyn Rodrigues rgoldwyn at suse.de
Wed Mar 1 01:01:52 UTC 2017 


On 02/27/2017 10:42 PM, Seth Arnold wrote:
> On Mon, Feb 27, 2017 at 08:39:40PM -0600, Goldwyn Rodrigues wrote:
>> From: Goldwyn Rodrigues <rgoldwyn at suse.com>
>>
>> A simple utility to return the keywords used in apparmor.d profile
>> files.
>>
>> This would enable utilities such as yast to create apparmor
>> profiles without the need to cross-checking and verifying
>> the syntax.
>>
>> While there is nothing fancy about the tool, if you think this needs
>> more command-line arguments, I will be happy to put them in.
> 
> What's the intention of the tool?

The prime intention of both these patches is to get rid of deprecated
perl in the Yast code which it still works on. This is blocking the path
to upgrade apparmor in most of (open)suse distros. The yast repo is at
https://github.com/goldwynr/yast-apparmor. It is still a work in
progress so I have not posted them to the mailing lists as yet.


> 
> A full understanding of AppArmor profiles is well beyond what this patch
> enables; the Python-based tools offer a good subset of what's legal, but
> still don't understand a great many legal (and useful) profiles.

I agree. While I was hoping to get a set of rules possible. A complete
list was next to impossible.

> 
> So I'm hesitant to suggest that the YaST front end should try to reproduce
> the parser -- it would be extremely complicated work and trying to reach
> parity would be an immense undertaking, and the end results might still
> be very frustrating to users ("yast says its valid so why did it fail?";
> "this parses just fine at the command line but yast says it's invalid?";
> etc.)  At some point, providing a dumb text window without help may be
> friendlier than a text widget that gets things wrong.

Well yes, I think it will be better to just provide a dumb text window
and blame it on the user for mistakes ;)

> 
> But if there's reason enough to keep the tool, the changes look good, and
> probably having the descriptions around as online-help in the tool would
> be a vast usability improvement. I'd like to keep that part. :)

The extra text is limited to the files section, so I am not sure if it
is a good idea to keep it.

> 
> There's more than a few missing keywords though: link, audit, dbus
> and its many keywords. (I one day tried to collate all the keywords
> we support for AFL fuzzing. It took a lot longer than I expected and I
> accidentally destroyed the list when I reclaimed the VM. Finding them
> all takes a while.)
> 
I didn’t cover capability because ti did not have a list either.
Anyways, it seems to be too many to list.

Thanks. This discussion was helpful.

-- 
Goldwyn

More information about the AppArmor mailing list