[apparmor] [PATCH] use -QTK instead of -p in easyprof's verify_policy()
Use '-QTK' instead of '-p' in verify_policy(). '-p' only runs the preprocessor and is not as thorough as '-QTK' (--skip-kernel-load, --skip-read-cache, --skip-cache) since '-QTK' does a full compile. Like with '-p', '-QTK' can be run without privilege but it will catch things like conflicting 'x' modifiers that '-p' won't. The '-QTK' arguments are available at least as far back as apparmor 2.5.1 (eg, Ubuntu 10.04 LTS) with easyprof itself added much later, in 2012 (r2040). Note, since using -QTK does a full compile it is significantly slower than '-p', but that is because it is doing much more. This won't affect easyprof's primary consumer, click-apparmor, since aa-clickhook skips the easyprof verification tests (it loads (and therefore verifies) policy in a separate step). Unit tests pass with the change. Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ Author: Jamie Strandboge ja...@canonical.com Description: use -QTK instead of -p in verify_policy(). '-p' only runs the preprocessor and is not as thorough as -QTK (--skip-kernel-load, --skip-read-cache, --skip-cache). Like with '-p', '-QTK' can be run without privilege but it will catch things like conflictings 'x' modifiers. Acked-By: Jamie Strandboge ja...@canonical.com === modified file 'utils/apparmor/easyprof.py' --- utils/apparmor/easyprof.py 2014-03-20 05:02:53 + +++ utils/apparmor/easyprof.py 2014-06-09 18:08:34 + @@ -279,7 +279,7 @@ os.write(f, policy) os.close(f) -rc, out = cmd([exe, '-p', fn]) +rc, out = cmd([exe, '-QTK', fn]) os.unlink(fn) if rc == 0: return True signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] use -QTK instead of -p in easyprof's verify_policy()
On Mon, Jun 09, 2014 at 01:30:01PM -0500, Jamie Strandboge wrote: Use '-QTK' instead of '-p' in verify_policy(). '-p' only runs the preprocessor and is not as thorough as '-QTK' (--skip-kernel-load, --skip-read-cache, --skip-cache) since '-QTK' does a full compile. Like with '-p', '-QTK' can be run without privilege but it will catch things like conflicting 'x' modifiers that '-p' won't. The '-QTK' arguments are available at least as far back as apparmor 2.5.1 (eg, Ubuntu 10.04 LTS) with easyprof itself added much later, in 2012 (r2040). Note, since using -QTK does a full compile it is significantly slower than '-p', but that is because it is doing much more. This won't affect easyprof's primary consumer, click-apparmor, since aa-clickhook skips the easyprof verification tests (it loads (and therefore verifies) policy in a separate step). Unit tests pass with the change. Acked-By: Jamie Strandboge ja...@canonical.com Acked-by: Seth Arnold seth.arn...@canonical.com Thanks -- Jamie Strandboge http://www.ubuntu.com/ Author: Jamie Strandboge ja...@canonical.com Description: use -QTK instead of -p in verify_policy(). '-p' only runs the preprocessor and is not as thorough as -QTK (--skip-kernel-load, --skip-read-cache, --skip-cache). Like with '-p', '-QTK' can be run without privilege but it will catch things like conflictings 'x' modifiers. Acked-By: Jamie Strandboge ja...@canonical.com === modified file 'utils/apparmor/easyprof.py' --- utils/apparmor/easyprof.py2014-03-20 05:02:53 + +++ utils/apparmor/easyprof.py2014-06-09 18:08:34 + @@ -279,7 +279,7 @@ os.write(f, policy) os.close(f) -rc, out = cmd([exe, '-p', fn]) +rc, out = cmd([exe, '-QTK', fn]) os.unlink(fn) if rc == 0: return True signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor