[Apparmor-dev] A command line tool to add to a profile?

Wed May 2 16:03:34 MDT 2007

Crispin Cowan wrote:
> Mark Dalton wrote:
>   
>> I read through previous mails and FAQs, and I did not find a command
>> line tool to add a definition/allowed directory to a existing 
>> definition.    It would be useful for RPMs of packages or a easy command for a admin for a set of servers.
>>
>> It looks like the log_prof perl script could do this since it already modifies it.
>>
>> I was thinking of something like or adding options to log_prof?
>>      aa_log_add --program sbin.syslog-ng 
>>                --allow_dir /dev/my_syslog_pipe  --access rw
>>   
>>     
> I like it!
>
>   
>> The nice thing about the command line option is you could have it
>> require where it came from:
>>      aa_log_add --program sbin.syslogn-ng \
>>                --allow_dir /dev/my_syslog_pipe \
>>                 --access rw --from my_syslog_tool.rpm
>>   
>>     
> What does the "from" information do? "from" is not encoded in the
> profiles, so what would you have the command do with that information?
>
>   
The from was just a thought of something to add so you know
where the change came from.   Perhaps just a syslog message or
something similar (so you know who to 'blame' for the change). :)

Mark
>> I did find the solutions but they all require System Admininstrator
>> interactively adding something by hand.
>>
>> The Current tools for adding:
>>           Yast - GUI
>>           vi or your favorite editor
>>           logprof   - Allows you to scan the logs to see what
>>                       definitions should be added.
>>                       But you need to go through  a list.
>>   
>>     
> In the short term, if someone wants to implement this, then starting
> from the PERL source for the "complain" command. It should not be much
> of a change to create a program that can add a rule to a profile, and
> because of the intelligence in the complain command, you can specify
> which profile using either the pathname to the program or the pathname
> to the file.
>
>   
>> So it does not help much on a group of machines which may not be
>> identical, and it does not help with a RPM install.
>>   
>>     
> In the longer term, we have a plan for a more general purpose tool. It
> is a mathematical property of AA profiles that any 2 profiles can be
> merged together to produce a 3rd profile that satisfies all of the
> requirements of the 2 antecedents. This is intended for both of the
> cases you cite:
>
>     * In the case of a group of non-identical machines doing profile
>       development, you can merge the profiles together and then rdist
>       them to all the machines.
>     * In the case of an RPM upgrade where the RPM updates a profile and
>       the user has also updated the profile, then the RPM install can
>       use the merge tool to get both the user's and the packages updates
>       to the profile and merge them to produce a resulting working profile.
>
> It would be a trivial enhancement of the merge tool to have it be able
> to merge a single rule from the command line.
>
> However, the merge tool may not come out for a while yet, largely due to
> limited staff who can work on it. So if you want a "profile add"
> command, someone else will have to implement it, as we can't spare the
> people from more urgent needs.
>
> Implementing profile-add should be pretty easy when starting from the
> "complain" code, but it is also likely to be obsoleted by the merge tool.
>
> Crispin
>
>