Hello,
Am Dienstag, 24. November 2015 schrieb John Johansen:
> On 11/22/2015 07:20 AM, Christian Boltz wrote:
> > To allow a smooth transition, I propose to add a little aa-enabled
> > tool to 2.9 and 2.10 which just does
> >
> > #!/bin/sh
> > exec aa-status --enabled
>
> hrmmm, this certainly doesn't solve the problem, and hardly seems
Depends how you define the problem ;-)
IMHO it is "calling aa-status --enabled" (especially when done from
dh_apparmor and similar packaging helpers), and that can be solved by
such a wrapper. (Getting dh_apparmor changed might be harder than
getting a new AppArmor version in.)
However...
> worth doing as a backport. If we were to pull anything back to 2.9 or
> 2.10 I think I would rather the bash script or ideally a simple C
> program so there are no interpreter dependencies to worry about.
... I won't object if we backport the "real" aa-enabled ;-)
> > This means Debian and Ubuntu can switch dh_apparmor etc. to use
> > aa-enabled instead of aa-status --enabled _now_ (assuming it fits
> > for
> > them) instead of having to wait for a major AppArmor release. This
> > allows a longer migration period.
>
> sure they could switch now, but such a change isn't going to show up
> in the current releases. It will only be dropped into new ones
Of course it will only be changed for new releases, but I'd guess
getting a minor release in is easier shortly before a distribution
release.
> > For trunk, I propose aa-enabled should actually do the work itsself
> > -
> > see the "Re: [apparmor] [patch] utils: make aa-status(8) function
> > without python3-apparmor" mail for a proposal.
>
> I agree it should do it itself, and I counter with the following C
> program
>
> ---
>
> #include <errno.h>
> #include <stdio.h>
> #include <sys/apparmor.h>
>
> int main(int argc, char **argv)
> {
> if (aa_is_enabled()) {
> printf("Y");
> return 0;
> }
> printf("N");
> return errno;
> }
Nice trick - you are using libapparmor to hide most of the code ;-)
(that's not really bad because it avoids code duplication, but makes the
comparison a bit unfair ;-)
Oh, and the C code has a bug - like aa-status --enabled, aa-enabled
should only set the exitcode, but not print anything.
Anyway, I can live with both solutions as long as we get aa-enabled
added ;-)
Regards,
Christian Boltz
--
Über den Autor Marcus Meissner:
Marcus Meissner entwickelt seit über 10 Jahren Opensource Entwickler.
[gefunden auf
http://www.linuxtag.org/2007/de/conf/events/vp-mittwoch/vortragsdetails.html?talkid=40]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
