[Apparmor-dev] Re: repost of network toggle patches for the tools and bug fixes for repo

John Johansen jjohansen at suse.de
Tue Jul 24 19:25:19 MDT 2007 

On Tue, Jul 24, 2007 at 03:24:12PM -0600, Dominic Reynolds wrote:
> Missing patch attached.
> 
> -dom
> 
> +++ Dominic Reynolds [24/07/07 14:12 -0600]:
> > Refreshsed patches to include jesses latest locking/append fixes and fix
> > other problems:
> >    directory matching when existing rules have tailglobs 
> >    rudimentary fix for mandatory profile error messages
> > 

Well, not so promising.  The results from testing show the same bugs
I hit last time, every single one of them and I noticed a couple
new ones (so forgive me for copy and pasting from previous mail).

It is the same test of removing firefox and firefox-bin profiles
and doing genprof firefox

Bugs
choosing * doesn't eliminate questions/choices it should (NEW)
- genprof prompts for r on /foo/bar/bleah 
  choose glob so I add the rule
  /foo/bar/*

  genprof proceeds to ask for r permission on /foo/bar/next
  and then /foo/bar/yetagain, ...

  It only stops when I have said yes to each entry or when I choose
  to use **
  eg. /foo/bar/**

Directory perm bug
- We are still hitting a couple of directory perm bugs in genprof.
  The situation is asking for r perm on /dir/ (still)

  example 1:
  asking for "r" on /tmp/ and /var/tmp/
  looking into preprocessed profile I see the tmp profile tmp rules in global
  /var/tmp/** rwl,
  /var/tmp    r,
  /tmp/**    rwl,
  /tmp       r,

  so it looks like genprof is matching /tmp/ to /tmp and just not prompting
  for it.

  example 2:
  asking for "r" on /etc/opt/gnome/gnome-vfs-2.0/modules/
  and the profile has
  /etc/opt/gnome/gnome-vfs-2.0/modules/*  r,
  or
  /etc/opt/gnome/gnome-vfs-2.0/modules/** r,

  and again genprof never prompts for that message

(P)rofile bug
  started profiling by doing genprof firefox and then ran firefox
  which kicks off the shell script, I got to it ask ix, px, ..
  for firefox-bin and chose px and I got greated with this error
  4 times

  Use of uninitialized value in scalar chomp at
  /usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 593.

  And then it never processed any of the firefox-bin messages that
  used the null-complain-profile.

Null-complain-profile not tracking correctly?
  I haven't yet been able to successfully to create a profile for
  an app that is using the null-complain-profile.  I always have
  to restart with a base profile loaded for the application.



Other oddities and feature requests
- long pause on startup as genprof tried to check the profile repository,
  there was no indication that genprof was doing anythin

- long pause when choosing Px as genprof checked profile repository,
  again no message or indication it was trying to do something

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070724/850003d3/attachment.pgp

More information about the Apparmor-dev mailing list