[apparmor] [patch] aa-mergeprof: honor -d parameter

Christian Boltz apparmor at cboltz.de
Tue Jul 29 22:31:49 UTC 2014 

Hello,

Am Mittwoch, 30. Juli 2014 schrieb Kshitij Gupta:
> As I remember it is by design to have the first parameter be "your"
> current profile which will be in the directory specified by -d 

Well, the current syntax allows the profile to be anywhere, independent 
of -d ;-)

> (which was not working as expected though) and have it merge with a 
> new base and other profile.
> 
> Thus the assumption here is you want your merged profile to be in your
> current directory of profiles (as specified by -d).
> 
> Do you want to be able to merge just any two profiles from anywhere?
> The current method uses all the profiles and abstractions from -d
> directory to process profiles. Without it the merges can vary from
> system to system in case users have varying abstractions or
> something.

Good question ;-)

Currently aa-mergeprof merges into the profile given as first parameter, 
whereever that file is.

Maybe it would be a good idea to change the behaviour a bit:
- always merge to --dir (/etc/apparmor.d/ by default)
- this also means specifying the merge target (first parameter) is 
  superfluous and can/should be removed. 
  As a side effect, the usage would be more intuitive because you don't 
  need to remember which parameter is the merge target. Just specify
  what you want to pull in, similar to "aa-logprof -f ..."
- and finally, it would be nice to allow an unlimited number of 
  parameters/profiles to merge ;-)  (just run a loop over them ;-)

So basically instead of
    aa-mergeprof /etc/apparmor.d/bin.foo ~/newprofiles/bin.foo
you could just call 
    aa-mergeprof ~/newprofiles/bin.foo

You could even do
    aa-mergeprof ~/newprofiles/*
to merge all updated profiles into their /etc/apparmor.d/ counterpart.


The only disadvantage is that this won't be a real 3-way merge.
The most important features of 3-way-merge are:
- delete rules that were removed in the "upstream"/base profile 
- handle conflicts for *x rules
I slightly doubt this is something we need. (If someone disagrees or if 
I forgot an important usecase, please speak up ;-)


Nevertheless, aa-mergeprof will need a working -d/--dir parameter, so 
please also review my patch ;-)


Regards,

Christian Boltz
-- 
Das hier ist eine Anfängerliste.
Ich will Dir auch erklären warum:
Den 'Linux Profi' gibt es IMHO nicht.
[Bernd Obermayr in suse-linux]

More information about the AppArmor mailing list