[apparmor] [PATCH] aa-keywords: Expose parser keywords

Christian Boltz apparmor at cboltz.de
Thu Mar 2 21:28:19 UTC 2017 

Hello,

Am Mittwoch, 1. März 2017, 02:01:52 CET schrieb Goldwyn Rodrigues:
> On 02/27/2017 10:42 PM, Seth Arnold wrote:
> > On Mon, Feb 27, 2017 at 08:39:40PM -0600, Goldwyn Rodrigues wrote:
> >> From: Goldwyn Rodrigues <rgoldwyn at suse.com>
> >> 
> >> A simple utility to return the keywords used in apparmor.d profile
> >> files.
> >> 
> >> This would enable utilities such as yast to create apparmor
> >> profiles without the need to cross-checking and verifying
> >> the syntax.
> >> 
> >> While there is nothing fancy about the tool, if you think this
> >> needs
> >> more command-line arguments, I will be happy to put them in.
> > 
> > What's the intention of the tool?
> 
> The prime intention of both these patches is to get rid of deprecated
> perl in the Yast code which it still works on. This is blocking the
> path to upgrade apparmor in most of (open)suse distros. The yast repo
> is at https://github.com/goldwynr/yast-apparmor. It is still a work
> in progress so I have not posted them to the mailing lists as yet.

For completeness - this part looks like the base for a replacement of 
the "AppArmor profile editor" in YaST.

As Seth already pointed out, it will be quite hard to build such an 
editor with full support for all keywords and permissions. It will be 
even harder to feed it via JSON IMHO.

One option might be to write a standalone python program that directly 
uses the apparmor.aa and apparmor.rule.* code. Maybe something like PyQt 
would be a good choice - I'd guess text mode users of YaST will use vi 
to edit profiles anyway ;-)  (This is  just a crazy idea, not something 
I'll add to my TODO list ;-)

> > A full understanding of AppArmor profiles is well beyond what this
> > patch enables; the Python-based tools offer a good subset of what's
> > legal, but still don't understand a great many legal (and useful)
> > profiles.

The tools should at least accept them and write not-yet-parsed rules 
(for example mount rules) exactly as they came in. If you have a legal 
_real-world_ profile that causes a parse error in the tools, please tell 
me ;-)  
(test profiles already listed as exception in test-parser-simple-tests.py 
don't count - yes, we have some really scary example profiles ;-)

> Well yes, I think it will be better to just provide a dumb text window
> and blame it on the user for mistakes ;)

You can (and should) call   apparmor_parser -pq   to validate the profile 
syntax.

> > But if there's reason enough to keep the tool, the changes look
> > good, and probably having the descriptions around as online-help in
> > the tool would be a vast usability improvement. I'd like to keep
> > that part. :)
> The extra text is limited to the files section, so I am not sure if it
> is a good idea to keep it.

Depends if someone wants to work on a profile editor. If yes, it might 
make sense (and it might even make sense to add similar descriptions in 
all rule classes). 
Otherwise it's superfluous - I doubt aa-logprof will ever display it ;-)

> > There's more than a few missing keywords though: link, audit, dbus
> > and its many keywords. (I one day tried to collate all the keywords
> > we support for AFL fuzzing. It took a lot longer than I expected and
> > I accidentally destroyed the list when I reclaimed the VM. Finding
> > them all takes a while.)
> 
> I didn’t cover capability because ti did not have a list either.

New kernels sometimes add new capabilities (which also means 
apparmor_parser needs to be compiled with the latest kernel to 
understand all of them).

The same is true for network rule keywords - from time to time, a new 
one gets added to the kernel.

We have autogenerating those keyword lists for the tools somewhere on 
the TODO list, but it didn't happen yet. (Needless to say that adding 
help texts to autogenerated lists isn't that easy ;-)

> Anyways, it seems to be too many to list.

apparmor.vim has them all (autogenerated) ;-)


Regards,

Christian Boltz
-- 
well that's my 2c worth. Well about 1.7 cents with the current
exchange rate.   [Helen South in opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170302/c3e92f28/attachment-0001.pgp>

More information about the AppArmor mailing list