[pkg-apparmor] Bug#882047: Bug#882047: Bug#882047: apparmor-utils: aa-complain thunderbird fails

Christian Boltz debian-bugs at cboltz.de
Wed Oct 24 19:00:07 BST 2018 

Hello,

Am Sonntag, 21. Oktober 2018, 16:49:29 CEST schrieb Christian Boltz:
> As usual if I do some tests, I found more issues:
> - the attachment won't be checked if a profile has a name (so using a
>   variable currently doesn't matter ;-)
> - aa-complain first does a "which thunderbird" and then checks with
> the full path, so the profile name also won't match - "thunderbird"
> != "/usr/bin/thunderbird"
> - profile names with alternations (without attachment specification)
>   will also not match because aa.py get_profile_filename() doesn't use
> AARE

I worked on this in the last days, and as expected, it really resulted 
in "bigger changes". On the positive side, the new code now 
distinguishes between profile name and attachment (which avoids 
accidential matches and documents what each section of the code is 
using) and between active (/etc/apparmor.d/) and inactive/extra 
(/usr/share/share/apparmor/extra-profiles) profiles which fixes another 
sourse of problems. Oh, and the ProfileList class is covered by unit 
tests :-)

All changes survived my testing, but getting more testers always helps. 
If you want to test and/or review my changes, you can get them from
https://gitlab.com/apparmor/apparmor/merge_requests/249

Note that variables in the profile name still don't get expanded/
matched.

> Maybe (additionally) matching the aa-complain parameter against the
> profile name would be an easy option/workaround, but I'm undecided if
> this is a good idea because it could also cause false positives -
> opinions?
> 
> Or to ask the other way round - assuming you have
>     profile foo /bin/bar { ... }
> should   aa-complain foo   find that profile?

For now, I decided not to support that, so aa-complain will continue to 
interpret all parameters as attachment.


Regards,

Christian Boltz
-- 
> Was muß man tun um auf NTFS schreiben zu können. In der fstab
> hab ich schon auf rw gesetzt. Was muß man noch tun?
1. Beten.
2. MS veranlassen, die Spezifikationen offenzulegen.
3. Weiterbeten.
[> Stefan und Bernd Obermayr in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20181024/c738232b/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list