[apparmor] [PATCH] Set flags for profiles represented by a glob

Christian Boltz apparmor at cboltz.de
Wed Apr 11 22:54:06 UTC 2018


Hello,

Am Mittwoch, 11. April 2018, 18:32:20 CEST schrieb Goldwyn Rodrigues:
> On 04/08/2018 01:09 PM, Christian Boltz wrote:

> > The failure for both is the old one:
> >     Profile for /usr/bin/ping not found, skipping
> > 
> > I verified that AARE matching works as expected, so there must be a
> > bug somewhere else.
> 
> This is because of profile to filename conversion. We are finding the
> program associated with it and converting the filename replacing with
> dots. So, the profile (ping) which evaluates (/usr/bin/ping) does not
> find the profile named /etc/apparmor.d/usr.bin.ping.  There is no easy
> solution to this as of now.

Ah, now I understand the problem, and just confirmed that renaming 
bin.ping to usr.bin.ping indeed fixes the issue.

aa-logprof can handle "wrong" filenames - basically it reads all 
profiles first, and while doing that, also builds a list of profile <-> 
filename mappings which it then uses instead of the "default" filenames.

Doing the same for aa-complain etc. should be possible, but I'll have to 
check the code before I know how hard it is or if it causes side 
effects. My *guess* is that it isn't really hard, but it needs parsing 
of all profiles and therefore might make aa-complain a bit slower. (That 
said - aa-complain already seems to parse all profiles because it errors 
out if one of them has a syntax error. Sounds like this will be an 
interesting bug hunt ;-)

I'd say ignore this for now and submit your patch. We can always submit 
another patch on top to fix this detail ;-)

> I so wish aa.py was written a bit better.

No objections on this. I celebrate every line of code I can remove from 
it, and my long-term goal is   rm aa.py   ;-)

> > Bonus bug: if I change the traceroute profile to
> > 
> >     profile traceroute /usr/{sbin/traceroute,bin/traceroute.db} {
> >     
> >     # aa-enforce traceroute
> >     Setting /usr/sbin/traceroute to enforce mode.
> >     
> >     ERROR: Path doesn't start with / or variable: traceroute
> > 
> > which indicates that the match is done against the profile name
> > instead of the attachment.
> 
> Okay, I fixed that. It needs to check against the right name.

Maybe it's a good idea to check against both ;-) Assume someone runs   
aa-complain ping   and we have   profile ping /{usr/,}bin/ping   then 
"ping" would be an exact match on the profile name and /bin/ping or 
/usr/bin/ping would match the attachment.

(This doesn't need to be in this patch - not making the given parameter 
a full path to be able to check against the profile name sounds like a 
bigger change.)

> > (You can also trigger similar errors by simply running "make
> > check".)
> > 
> > 
> > BTW: We moved development to gitlab.com, merge requests are always
> > welcome ;-)  - but if you prefer to send patches by mail, that's of
> > course still possible.
> 
> Okay I will send the merge request there.

:-)


Regards,

Christian Boltz
-- 
Unix: Alles ist ein File, und was kein File ist, hat sich gefaelligst
als ein solches zu tarnen.      [Wolfgang Weisselberg in linux-liste]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180412/3dceb6e0/attachment.sig>


More information about the AppArmor mailing list