[apparmor] [patch] Add debug info to profile_storage()
    Kshitij Gupta 
    kgupta8592 at gmail.com
       
    Sun Aug  2 19:17:57 UTC 2015
    
    
  
Hello,
On Tue, Jul 21, 2015 at 12:52 AM, Christian Boltz <apparmor at cboltz.de>
wrote:
> Hello,
>
> for debugging, it's helpful to know which part of the code initialized a
> profile_storage and for which profile and hat this was done.
>
> This patch adds an 'info' array with that information, adds the
> corresponding parameters to profile_storage() and changes the callers to
> deliver some useful content.
>
> Should this be limited to debug mode only?
Also I am not very happy with the idea to modify these functions this much
for debugging purposes. Most of the time the calls and additional data
would serve no purpose and would be an overhead albeit minute.
>
> [ 81-profile_storage-debug-info.diff ]
>
> --- utils/apparmor/aa.py        2015-07-20 20:51:34.293945699 +0200
> +++ ./utils/apparmor/aa.py      2015-07-20 20:49:44.595427905 +0200
> @@ -402,7 +402,7 @@
>          return {local_profile: extras[local_profile]}
>      return dict()
>
> -def profile_storage():
> +def profile_storage(profilename, hat, details):
>      # keys used in aa[profile][hat]:
>      # a) rules (as dict): alias, include, lvar
>      # b) rules (as hasher): allow, deny
> @@ -415,6 +415,9 @@
>
>      profile = hasher()
>
> +    # profile['info'] isn't used anywhere, but can be helpful in
> debugging.
> +    profile['info'] = {'profile': profilename, 'hat': hat, 'details':
> details}
> +
>      profile['capability']       = CapabilityRuleset()
>      profile['change_profile']   = ChangeProfileRuleset()
>      profile['network']          = NetworkRuleset()
> @@ -431,7 +434,7 @@
>
>  def create_new_profile(localfile, is_stub=False):
>      local_profile = hasher()
> -    local_profile[localfile] = profile_storage()
> +    local_profile[localfile] = profile_storage('NEW', localfile,
> 'create_new_profile()')
>      local_profile[localfile]['flags'] = 'complain'
>      local_profile[localfile]['include']['abstractions/base'] = 1
>
> @@ -1465,7 +1468,7 @@
>                              if ynans == 'y':
>                                  hat = exec_target
>                                  if not aa[profile].get(hat, False):
> -                                    aa[profile][hat] = profile_storage()
> +                                    aa[profile][hat] =
> profile_storage(profile, hat, 'handle_children()')
>                                  aa[profile][hat]['profile'] = True
>
>                                  if profile != hat:
> @@ -1588,7 +1591,7 @@
>                  hats = [profile] + hats
>
>              for hat in hats:
> -                log_obj[profile][hat] = profile_storage()
> +                log_obj[profile][hat] = profile_storage(profile, hat,
> 'ask_the_questions()')
>
>                  for capability in
> sorted(log_dict[aamode][profile][hat]['capability'].keys()):
>                      capability_obj = CapabilityRule(capability,
> log_event=aamode)
> @@ -2564,7 +2593,7 @@
>      if do_include:
>          profile = file
>          hat = file
> -        profile_data[profile][hat] = profile_storage()
> +        profile_data[profile][hat] = profile_storage(profile, hat,
> 'parse_profile_data() do_include %s' % file)
>
>      for lineno, line in enumerate(data):
>          line = line.strip()
> @@ -2582,7 +2611,7 @@
>                  raise AppArmorException('Profile %(profile)s defined
> twice in %(file)s, last found in line %(line)s' %
>                      { 'file': file, 'line': lineno + 1, 'profile':
> combine_name(profile, hat) })
>
> -            profile_data[profile][hat] = profile_storage()
> +            profile_data[profile][hat] = profile_storage(profile, hat,
> 'parse_profile_data() profile_start %s' % file)
>
>              if attachment:
>                  profile_data[profile][hat]['attachment'] = attachment
> @@ -2987,7 +3016,7 @@
>              # if hat is already known, the filelist check some lines
> below will error out.
>              # nevertheless, just to be sure, don't overwrite existing
> profile_data.
>              if not profile_data[profile].get(hat, False):
> -                profile_data[profile][hat] = profile_storage()
> +                profile_data[profile][hat] = profile_storage(profile,
> hat, 'parse_profile_data() hat_def %s' % file)
>
>              flags = matches.group('flags')
>
> @@ -3036,7 +3066,7 @@
>                  if re.search(hatglob, parsed_prof):
>                      for hat in cfg['required_hats'][hatglob].split():
>                          if not profile_data[parsed_prof].get(hat, False):
> -                            profile_data[parsed_prof][hat] =
> profile_storage()
> +                            profile_data[parsed_prof][hat] =
> profile_storage(parsed_prof, hat, 'parse_profile_data() required_hats %s' %
> file)
>
>      # End of file reached but we're stuck in a profile
>      if profile and not do_include:
>
>
> Regards,
>
> Christian Boltz
> --
> Zwei Informatikstudenten treffen sich auf dem Campus. Sagt der eine:
> "Hey, woher hast du das schöne neue Fahrrad?"
> Antwortet der andere: "Nun, ich lief gestern durch den Park, als eine
> wunderschöne Blondine auf dem Fahrrad vor mir anhielt, sich nackt auszog
> und sagte: Nimm dir was du willst!"
> Sagt der erste: "Gute Wahl, die Kleider hätten bestimmt nicht gepasst."
> [Bernd Tannenbaum in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-- 
Regards,
Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150803/44a4c137/attachment-0001.html>
    
    
More information about the AppArmor
mailing list