Hello, Am Sonntag, 21. Oktober 2018, 16:49:29 CEST schrieb Christian Boltz: > As usual if I do some tests, I found more issues: > - the attachment won't be checked if a profile has a name (so using a > variable currently doesn't matter ;-) > - aa-complain first does a "which thunderbird" and then checks with > the full path, so the profile name also won't match - "thunderbird" > != "/usr/bin/thunderbird" > - profile names with alternations (without attachment specification) > will also not match because aa.py get_profile_filename() doesn't use > AARE
I worked on this in the last days, and as expected, it really resulted in "bigger changes". On the positive side, the new code now distinguishes between profile name and attachment (which avoids accidential matches and documents what each section of the code is using) and between active (/etc/apparmor.d/) and inactive/extra (/usr/share/share/apparmor/extra-profiles) profiles which fixes another sourse of problems. Oh, and the ProfileList class is covered by unit tests :-) All changes survived my testing, but getting more testers always helps. If you want to test and/or review my changes, you can get them from https://gitlab.com/apparmor/apparmor/merge_requests/249 Note that variables in the profile name still don't get expanded/ matched. > Maybe (additionally) matching the aa-complain parameter against the > profile name would be an easy option/workaround, but I'm undecided if > this is a good idea because it could also cause false positives - > opinions? > > Or to ask the other way round - assuming you have > profile foo /bin/bar { ... } > should aa-complain foo find that profile? For now, I decided not to support that, so aa-complain will continue to interpret all parameters as attachment. Regards, Christian Boltz -- > Was muß man tun um auf NTFS schreiben zu können. In der fstab > hab ich schon auf rw gesetzt. Was muß man noch tun? 1. Beten. 2. MS veranlassen, die Spezifikationen offenzulegen. 3. Weiterbeten. [> Stefan und Bernd Obermayr in suse-linux]
signature.asc
Description: This is a digitally signed message part.
