Hello, Am Montag, 23. Oktober 2017, 12:38:32 CEST schrieb Goldwyn Rodrigues: > This series adds JSON for communicating the temporary diff file > between the old and new profiles. > > I had to move code from aa.py to ui.py so that we don't have > circular dependency in imports. Performed some cleanup there. > > In order to write a profile, I had to use the following > patch for mount, pivot_root and unix on my 4.14.0-rc5 kernel. > > diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py > index 86ec1859..47fd3aa1 100644 > --- a/utils/apparmor/aa.py > +++ b/utils/apparmor/aa.py > @@ -2997,11 +2997,11 @@ def > serialize_profile_from_old_profile(profile_data, name, options): > 'capability': False, > 'network': False, > 'dbus': False, > - 'mount': True, # not handled otherwise yet > + 'mount': False, > 'signal': True, # not handled otherwise yet > 'ptrace': True, # not handled otherwise yet > - 'pivot_root': True, # not handled otherwise yet > - 'unix': True, # not handled otherwise yet > + 'pivot_root': False, > + 'unix': False, > 'link': False, > 'file': False, > 'change_profile': False,
That's related to the more strict ProfileStorage in bzr trunk. Older versions use hasher() which is more forgiving, but also very "useful" to hide quite some hard to track bugs [1]. The kernel version is completely unrelated ;-) serialize_profile_from_old_profile is known to need "some changes"[tm]. Rewriting it is somewhere on my TODO list, but unfortunately there are some other things that are blocking it. "View changes between clean profiles" works much better - and it looks like I always use that because I didn't notice the crash :-/ That said - your changes fix the crash, therefore Acked-by: Christian Boltz <appar...@cboltz.de> and commited to bzr trunk. Regards, Christian Boltz [1] hasher() gives you a recursive array that auto-creates subkeys even when "just" doing a read access. Let's assume you have a hasher() for your garden, and currently you only have grass in your garden. Now someone walks into your garden hasher() and looks for a leaf: garden['tree']['branch'].get('leaf') The hasher() will tell him that there's no leaf ("None"), but suddenly there's a tree with a branch in your garden hasher() :-/ -- > got a patch? -ENOTMYJOB [> Markus Rueckert and Bernhard Walle in opensuse-packaging]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor