[apparmor] cross-distribution profile repo

Jamie Strandboge jamie at canonical.com
Thu Aug 28 02:16:49 UTC 2014 

On 08/27/2014 07:31 PM, intrigeri wrote:
> Hi,
> 
> Jamie Strandboge wrote (27 Aug 2014 23:45:50 GMT) :
>> FYI, I did an archive grep on Ubuntu 14.10 this week and updated our list here:
>> https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
> 
>> It is complete, but could be better organized (esp. with identifying the
>> profiles shipped in our apparmor-profiles package).
> 
> Great, thanks! I'm curious how you did this archive grep, and whether
> it could be run automatically on a regular basis. May you please share
> the scripts (or, failing that, methodology) that you used?
> 
I have a local debmirror for i386 and amd64. It could be automated if you had
access to a full mirror. I use the 'for-archive' tool from here:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-security-tools/trunk/files/head:/repo-tools
(see ../README, ./for-archive and ./for-archive-tools).

I used this:
$ . $HOME/.ubuntu-security-tools.conf
$ export GREP="egrep"
$ for comp in main universe multiverse; do $HOME/bin/for-archive
$archive_mirror/dists/utopic/$comp/binary-i386/Packages.gz $archive_mirror
$HOME/bin/for-archive-tools/unpack-list '/etc/apparmor.d/'; done | tee
forarchive-aa.log

Alternatively, you can use Debian's codesearch, but it is pretty unwieldy:
  http://codesearch.debian.net/search?q=%2Fetc%2Fapparmor.d

Ubuntu's gives incomplete results:
  http://ubuntu-codesearch.surgut.co.uk/search?q=/etc/apparmor.d

To have results similar to codesearch, can do something like:
$ for comp in main universe multiverse; do ~/bin/for-archive
$archive_mirror/dists/utopic/$comp/binary-i386/Packages.gz $archive_mirror
~/bin/for-archive-tools/unpack-search '/etc/apparmor.d/'; done | tee
~/forarchive-aa-full.log

Interestingly, when I looked at the Ubuntu codesearch, I saw mosquitto and it
looked like the for-archive tool missed it. However, when I grabbed the debs and
unpacked them I found none of them actually shipped the mosquitto profile that
the maintainer scripts were trying to manipulate. Funny :)

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140827/41d9aabf/attachment.pgp>

More information about the AppArmor mailing list