[apparmor] [PATCH 0/2] Add JSON ability for changes

Christian Boltz apparmor at cboltz.de
Wed Oct 25 20:10:57 UTC 2017 

Hello,

Am Montag, 23. Oktober 2017, 12:38:32 CEST schrieb Goldwyn Rodrigues:
> This series adds JSON for communicating the temporary diff file
> between the old and new profiles.
> 
> I had to move code from aa.py to ui.py so that we don't have
> circular dependency in imports. Performed some cleanup there.
> 
> In order to write a profile, I had to use the following
> patch for mount, pivot_root and unix on my 4.14.0-rc5 kernel.
> 
> diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
> index 86ec1859..47fd3aa1 100644
> --- a/utils/apparmor/aa.py
> +++ b/utils/apparmor/aa.py
> @@ -2997,11 +2997,11 @@ def
> serialize_profile_from_old_profile(profile_data, name, options):
> 'capability': False,
>                      'network': False,
>                      'dbus': False,
> -                    'mount': True, # not handled otherwise yet
> +                    'mount': False,
>                      'signal': True, # not handled otherwise yet
>                      'ptrace': True, # not handled otherwise yet
> -                    'pivot_root': True, # not handled otherwise yet
> -                    'unix': True, # not handled otherwise yet
> +                    'pivot_root': False,
> +                    'unix': False,
>                      'link': False,
>                      'file': False,
>                      'change_profile': False,

That's related to the more strict ProfileStorage in bzr trunk. Older 
versions use hasher() which is more forgiving, but also very "useful" to 
hide quite some hard to track bugs [1].

The kernel version is completely unrelated ;-)

serialize_profile_from_old_profile is known to need "some changes"[tm]. 
Rewriting it is somewhere on my TODO list, but unfortunately there are 
some other things that are blocking it.

"View changes between clean profiles" works much better - and it looks
like I always use that because I didn't notice the crash :-/

That said - your changes fix the crash, therefore
    Acked-by: Christian Boltz <apparmor at cboltz.de>
and commited to bzr trunk.


Regards,

Christian Boltz

[1] hasher() gives you a recursive array that auto-creates subkeys even
    when "just" doing a read access.

    Let's assume you have a hasher() for your garden, and currently you 
    only have grass in your garden.
    Now someone walks into your garden hasher() and looks for a leaf:
        garden['tree']['branch'].get('leaf')
    The hasher() will tell him that there's no leaf ("None"), but
    suddenly there's a tree with a branch in your garden hasher() :-/

-- 
> got a patch?
-ENOTMYJOB
[> Markus Rueckert and Bernhard Walle in opensuse-packaging]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171025/5aff164d/attachment.sig>

More information about the AppArmor mailing list