[apparmor] [PATCH] Set flags for profiles represented by a glob
Christian Boltz
apparmor at cboltz.de
Wed Apr 11 22:54:06 UTC 2018
Hello,
Am Mittwoch, 11. April 2018, 18:32:20 CEST schrieb Goldwyn Rodrigues:
> On 04/08/2018 01:09 PM, Christian Boltz wrote:
> > The failure for both is the old one:
> > Profile for /usr/bin/ping not found, skipping
> >
> > I verified that AARE matching works as expected, so there must be a
> > bug somewhere else.
>
> This is because of profile to filename conversion. We are finding the
> program associated with it and converting the filename replacing with
> dots. So, the profile (ping) which evaluates (/usr/bin/ping) does not
> find the profile named /etc/apparmor.d/usr.bin.ping. There is no easy
> solution to this as of now.
Ah, now I understand the problem, and just confirmed that renaming
bin.ping to usr.bin.ping indeed fixes the issue.
aa-logprof can handle "wrong" filenames - basically it reads all
profiles first, and while doing that, also builds a list of profile <->
filename mappings which it then uses instead of the "default" filenames.
Doing the same for aa-complain etc. should be possible, but I'll have to
check the code before I know how hard it is or if it causes side
effects. My *guess* is that it isn't really hard, but it needs parsing
of all profiles and therefore might make aa-complain a bit slower. (That
said - aa-complain already seems to parse all profiles because it errors
out if one of them has a syntax error. Sounds like this will be an
interesting bug hunt ;-)
I'd say ignore this for now and submit your patch. We can always submit
another patch on top to fix this detail ;-)
> I so wish aa.py was written a bit better.
No objections on this. I celebrate every line of code I can remove from
it, and my long-term goal is rm aa.py ;-)
> > Bonus bug: if I change the traceroute profile to
> >
> > profile traceroute /usr/{sbin/traceroute,bin/traceroute.db} {
> >
> > # aa-enforce traceroute
> > Setting /usr/sbin/traceroute to enforce mode.
> >
> > ERROR: Path doesn't start with / or variable: traceroute
> >
> > which indicates that the match is done against the profile name
> > instead of the attachment.
>
> Okay, I fixed that. It needs to check against the right name.
Maybe it's a good idea to check against both ;-) Assume someone runs
aa-complain ping and we have profile ping /{usr/,}bin/ping then
"ping" would be an exact match on the profile name and /bin/ping or
/usr/bin/ping would match the attachment.
(This doesn't need to be in this patch - not making the given parameter
a full path to be able to check against the profile name sounds like a
bigger change.)
> > (You can also trigger similar errors by simply running "make
> > check".)
> >
> >
> > BTW: We moved development to gitlab.com, merge requests are always
> > welcome ;-) - but if you prefer to send patches by mail, that's of
> > course still possible.
>
> Okay I will send the merge request there.
:-)
Regards,
Christian Boltz
--
Unix: Alles ist ein File, und was kein File ist, hat sich gefaelligst
als ein solches zu tarnen. [Wolfgang Weisselberg in linux-liste]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180412/3dceb6e0/attachment.sig>
More information about the AppArmor
mailing list