Hello, $subject.
Everything below "if aamode == 'merge':" is an exact copy of the code in aa-mergeprof (with whitespace changed). aa-logprof and aa-mergeprof will continue to ignore events from unknown hats and subprofiles. RFC: does this make sense, or should aa-logprof and aa-mergeprof also ask to add hats/subprofiles it finds in audit.log? Note that this question already contains an interesting problem - from the log, we don't know if a hat or a subprofile was requested, so we can either ask the user or default to one of them (which one?). [ 04-aa.py-ask-for-adding-hats-in-merge-mode.diff ] === modified file ./utils/apparmor/aa.py --- utils/apparmor/aa.py 2017-01-15 14:56:54.892510474 +0100 +++ utils/apparmor/aa.py 2017-01-15 14:59:02.779898965 +0100 @@ -1514,11 +1514,43 @@ for hat in hats: if not aa[profile].get(hat).get('file'): - # Ignore log events for a non-existing profile or child profile. Such events can occour - # after deleting a profile or hat manually, or when processing a foreign log. - # (Checking for 'file' is a simplified way to check if it's a profile_storage() struct.) - debug_logger.debug("Ignoring events for non-existing profile %s" % combine_name(profile, hat)) - continue + if aamode != 'merge': + # Ignore log events for a non-existing profile or child profile. Such events can occour + # after deleting a profile or hat manually, or when processing a foreign log. + # (Checking for 'file' is a simplified way to check if it's a profile_storage() struct.) + debug_logger.debug("Ignoring events for non-existing profile %s" % combine_name(profile, hat)) + continue + + ans = '' + while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']: + q = aaui.PromptQuestion() + q.headers += [_('Profile'), profile] + + if log_dict[aamode][profile][hat]['profile']: + q.headers += [_('Requested Subprofile'), hat] + q.functions.append('CMD_ADDSUBPROFILE') + else: + q.headers += [_('Requested Hat'), hat] + q.functions.append('CMD_ADDHAT') + + q.functions += ['CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'] + + q.default = 'CMD_DENY' + + ans = q.promptUser()[0] + + if ans == 'CMD_FINISHED': + return + + if ans == 'CMD_DENY': + continue # don't ask about individual rules if the user doesn't want the additional subprofile/hat + + if log_dict[aamode][profile][hat]['profile']: + aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile') + aa[profile][hat]['profile'] = True + else: + aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing hat') + aa[profile][hat]['profile'] = False #Add the includes from the other profile to the user profile done = False Regards, Christian Boltz -- > You only read the second paragraph, didn't you? Why do you write emails where one has to read the stuff between the first and the last word? [> Stephan Kulow and Dirk Mueller in opensuse-packaging]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor