[apparmor] [patch] [4/7] Copy code to ask for adding hats to aa.py ask_the_questions()

Christian Boltz apparmor at cboltz.de
Tue Jan 17 21:15:11 UTC 2017 

Hello,

Am Dienstag, 17. Januar 2017, 12:58:03 CET schrieb Seth Arnold:
> On Sun, Jan 15, 2017 at 04:24:46PM +0100, Christian Boltz wrote:
> > Everything below "if aamode == 'merge':" is an exact copy of the
> > code in aa-mergeprof (with whitespace changed).
> > 
> > aa-logprof and aa-mergeprof will continue to ignore events from
> > unknown hats and subprofiles.
> > 
> > RFC: does this make sense, or should aa-logprof and aa-mergeprof

argh, s/aa-mergeprof/aa-genprof/ here

> > also ask to add hats/subprofiles it finds in audit.log?
> > Note that this question already contains an interesting problem -
> > from the log, we don't know if a hat or a subprofile was requested,
> > so we can either ask the user or default to one of them (which
> > one?).
> 
> You've always got the most interesting[tm] questions. :)
> 
> I'm surprised aa-mergeprof reads the logs at all. I'd expect it to
> merge whatever hats are both input profiles.

You are right. aa-mergeprof doesn't read the log and only takes another 
profile as input. I just noticed the bug in my question ;-)

> aa-logprof is where things get complicated; if the profile doesn't
> have any hats but the logs shows hats, there's either one of two
> things:
> 
> - The profile in aa-logprof is vastly out of sync with what's being
>   enforced at the time of the log entries
> 
> - The profile is in learning mode rather than enforce mode, and thus
> the changehats never fail.
> 
> In both cases, prompting the user seems like the right answer.

Should it ask to 
a) add a hat
b) a child profile
c) offer both options and let the user choose
?

> Did I overlook anything?

I'd add

- The profile is in complain mode, and audit.log was rotated after the 
  exec event (which can easily happen because null-* profiles tend to 
  flood the log).

Actually this is the most interesting one because aa-logprof will 
probably ask to add null-* child profiles.

> Acked-by: Seth Arnold <seth.arnold at canonical.com>

With or without the "Ignore log events for non-existing profile or child 
profile" section? ;-)

(I tend to commit this patch as is, and if we want logprof and genprof 
to ask about unknown hats and child profiles, do it as a separate patch.)


Regards,

Christian Boltz
-- 
Gericom + Pentium IV? Willst Du ein tragbares Heizkissen,
oder ein Notebook?        [Manfred Tremmel in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170117/6b48be9a/attachment.pgp>

More information about the AppArmor mailing list