[Apparmor-dev] A command line tool to add to a profile?

Crispin Cowan crispin at novell.com
Wed May 2 15:41:26 MDT 2007 

Mark Dalton wrote:
> I read through previous mails and FAQs, and I did not find a command
> line tool to add a definition/allowed directory to a existing 
> definition.    It would be useful for RPMs of packages or a easy command for a admin for a set of servers.
>
> It looks like the log_prof perl script could do this since it already modifies it.
>
> I was thinking of something like or adding options to log_prof?
>      aa_log_add --program sbin.syslog-ng 
>                --allow_dir /dev/my_syslog_pipe  --access rw
>   
I like it!

> The nice thing about the command line option is you could have it
> require where it came from:
>      aa_log_add --program sbin.syslogn-ng \
>                --allow_dir /dev/my_syslog_pipe \
>                 --access rw --from my_syslog_tool.rpm
>   
What does the "from" information do? "from" is not encoded in the
profiles, so what would you have the command do with that information?

> I did find the solutions but they all require System Admininstrator
> interactively adding something by hand.
>
> The Current tools for adding:
>           Yast - GUI
>           vi or your favorite editor
>           logprof   - Allows you to scan the logs to see what
>                       definitions should be added.
>                       But you need to go through  a list.
>   
In the short term, if someone wants to implement this, then starting
from the PERL source for the "complain" command. It should not be much
of a change to create a program that can add a rule to a profile, and
because of the intelligence in the complain command, you can specify
which profile using either the pathname to the program or the pathname
to the file.

> So it does not help much on a group of machines which may not be
> identical, and it does not help with a RPM install.
>   
In the longer term, we have a plan for a more general purpose tool. It
is a mathematical property of AA profiles that any 2 profiles can be
merged together to produce a 3rd profile that satisfies all of the
requirements of the 2 antecedents. This is intended for both of the
cases you cite:

    * In the case of a group of non-identical machines doing profile
      development, you can merge the profiles together and then rdist
      them to all the machines.
    * In the case of an RPM upgrade where the RPM updates a profile and
      the user has also updated the profile, then the RPM install can
      use the merge tool to get both the user's and the packages updates
      to the profile and merge them to produce a resulting working profile.

It would be a trivial enhancement of the merge tool to have it be able
to merge a single rule from the command line.

However, the merge tool may not come out for a while yet, largely due to
limited staff who can work on it. So if you want a "profile add"
command, someone else will have to implement it, as we can't spare the
people from more urgent needs.

Implementing profile-add should be pretty easy when starting from the
"complain" code, but it is also likely to be obsoleted by the merge tool.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com

More information about the Apparmor-dev mailing list