[apparmor] [patch] fixes for LP: #775785, full /tmp reload issue

Fri Aug 12 22:08:28 UTC 2011

Hello,

Am Donnerstag, 4. August 2011 schrieb Steve Beattie:
> Bug: https://bugs.launchpad.net/bugs/775785
> 
> Attached is a patch to make the initscript not fail if /tmp is full
> by converting the comm(1) usage on temporary files to an embedded
> awk script. On both Ubuntu and OpenSUSE, a version of awk (mawk in
> Ubuntu, gawk in OpenSUSE) is either a direct or indirect dependency
> on the minimal or base package set, and the original reporter also
> mentioned that an awk-based solution would be palatable in a way that
> converting to bash, or using perl or python here would not be.

The easier solution would be to replace (pseudocode)

list_profiles > $tmpfile
cat $tmpfile | do_it

with

list_profiles | do_it

But it's probably a matter of taste if the "old" code with lots of pipes
or the awk script are more readable ;-)

Besides that, I somehow wonder about this part of your patch:

> Index: b/parser/rc.apparmor.functions
> ===================================================================
> --- a/parser/rc.apparmor.functions
> +++ b/parser/rc.apparmor.functions

> +       profiles_names_list | awk '
> +BEGIN {
> +  while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) {

I'm not an awk expert, but to me it looks like awk has two possible
data sources:
a) result of profiles_names_list via STDIN
b) reading ${SFS_MOUNTPOINT}'/profiles

If I'm right, can you decide on one and remove the other, please? ;-)

To avoid regressions, can you please test if the following profile is 
handled correctly?

profile "/tmp/BOfH " {
  /bin/bash r,
}

BTW: It works with the current initscript on openSUSE 11.4.

However, I noted a small issue: /sys/kernel/security/apparmor/profiles 
seems to hide the space:

# cat /sys/kernel/security/apparmor/profiles  |sed 's/ /+/g' # shortened
/tmp/BOfH+(enforce)
/sbin/syslogd+(enforce)

I'd expect another space:
/tmp/BOfH++(enforce)
         ^^

> I've also attached a patch for the Ubuntu version of the initscript,
> which is distinct from the upstream versions.

Sounds like maintenance "fun" - what's the reason for the different 
initscript?

Regards,

Christian Boltz
-- 
[ComputerBild] Allerdings wird wahrscheinlich eher die Hölle zufrieren
als das dieses Organ der Presselandschaft, deren Inhalt einer jeden
Ausgabe locker auf einer Briefmarke Platz hätte, [für die Etikette]
eine Spalte hergibt. [Thomas Templin in suse-linux]