[Apparmor-dev] [RFR] patches for userspace tools

jesse michael jmichael at suse.de
Sun Sep 9 19:19:58 MDT 2007 

On Fri, Sep 07, 2007 at 02:39:18PM -0600, Dominic Reynolds wrote:
> 
> remove-docs-deps.diff
>   - remove the yast dependencies for apparmor docs

This one looks fine.

> aaeventd-reports.diff
> repo_feedback.diff

I haven't had a chance to look at these two yet.
 
> syslog_audit_format.diff
>   - update the log processing code to work with the latest message format
>     patches. Split out the handling into separate functions for v 2.0 and v
>     2.1 record types. The function for v 2.0 handling is a bit ugly as it
>     processes one record per call - but needs some state (the last record
>     processed) in certain cases. Needs some more cleanup. Tested against
>     trunk code with messages in audit, syslog (apparmor v 2.1) and v 2.0
>     messages sent via audit.

Sorry to take a while to get through this.  It's a little bigger than I
expected and I wanted to write up a patch to fix something I ran into.

> +            # we need to try to check if we're doing a domain transition
> +            if ($sdmode eq "PERMITTING") {
> +                do {
> +                    $stuffed = <$FD>;
> +                } until ((! $stuffed) || ($stuffed =~ /AppArmor|audit/));
> +
> +                if ($stuffed && ($stuffed =~ m/changing_profile/)) {
> +                    $domainchange = "change";
> +                    $stuffed      = undef;
> +                }
> +            }

When we were checking to see if the next message in the log was a domain
transition hint so we could tell the difference between access() and exec()
in complain mode, we stored the next log message in $stuffed...

>      open(LOG, $filename)
>        or fatal_error "Can't read AppArmor logfile $filename: $!";
> -    while (($_ = $stuffed) || ($_ = <LOG>)) {
> +    while ($_ = <LOG>) {

...and injected it back in here to keep from dropping the message if it 
turned out to be something other than a changing_profile/"set profile" hint.

Here's a patch to clean up how we pull messages out of the log a little and
should keep us from dropping those messages.

I haven't tested it in all the old vs. new + syslog vs. audit combinations, 
but I think it'll work.  :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rework_log_handling.diff
Type: text/x-patch
Size: 7845 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070909/5c120998/rework_log_handling.bin

More information about the Apparmor-dev mailing list