[pkg-apparmor] Bug#826218: Bug#826218: Bug#826218: Complain still interferes

Guido Günther agx at sigxcpu.org
Mon Jun 6 06:22:16 UTC 2016


Hi Christian,

Thanks a lot for your comments!

On Mon, Jun 06, 2016 at 01:14:08AM +0200, Christian Boltz wrote:
[..snip..]
> You can enable the logging by adding the audit keyword, but the general 
> rule is not to log anything that is already handled (allowed or denied) 
> in the profile.
> 
> >     * a way to audit calls to subprocesses indicating whether the
> >       environment was scrubbed or not
> 
> You'll get this information by reading the profile ;-)   It already had 
> "/usr/sbin/* PUx" [1] which also allowed /usr/sbin/virtlogd - but with 
> environment scrubbing.

The rule tells me what the profile is supposed to do, not what it is
doing. Ideally I'd like to debug this without  modifying any rules.

It's like the difference between reading code and debugging code. With a
debugger I can see what the program is doing while the code tells me
what it is supposed to do.

> I'm CC'ing another upstream developer, but I wouldn't be surprised if he 
> tells you the same ;-)
> 
> @John: Do you have a different opinion on Guido's points?
> 
> >     * other stuff I might not even know about yet like DBus denials …
> 
> Actually I can't tell you too much about DBus because only the Ubuntu 
> kernel has DBus support for AppArmor (it's not upstreamed yet), and I'm 
> using openSUSE ;-)
> 
> 
> Regards,
> 
> Christian Boltz
> 
> [1] I'm not sure if this rule (and the other broad PUx rules) are a good 
>     idea [2], but a) I don't know libvirtd good enough to judge on it
>     and b) that's a totally different topic ;-)
> 
> [2] These PUx rules allow to execute _all_ programs, and most of them
>     unconfined (except if a profile for this program exists). 
>     I slightly ;-) doubt libvirtd needs to execute all of them...

I totally aggree here!
 -- Guido



More information about the pkg-apparmor-team mailing list