[Apparmor-dev] Re: patches for userspace tools

Dominic Reynolds dreynolds at suse.de
Mon Sep 10 11:02:28 MDT 2007 

+++ jesse michael [09/09/07 18:19 -0700]:
> On Fri, Sep 07, 2007 at 02:39:18PM -0600, Dominic Reynolds wrote:
> > 
> > remove-docs-deps.diff
> >   - remove the yast dependencies for apparmor docs
> 
> This one looks fine.
> 
> > aaeventd-reports.diff
> > repo_feedback.diff
> 
> I haven't had a chance to look at these two yet.
>  
> > syslog_audit_format.diff
> >   - update the log processing code to work with the latest message format
> >     patches. Split out the handling into separate functions for v 2.0 and v
> >     2.1 record types. The function for v 2.0 handling is a bit ugly as it
> >     processes one record per call - but needs some state (the last record
> >     processed) in certain cases. Needs some more cleanup. Tested against
> >     trunk code with messages in audit, syslog (apparmor v 2.1) and v 2.0
> >     messages sent via audit.
> 
> Sorry to take a while to get through this.  It's a little bigger than I
> expected and I wanted to write up a patch to fix something I ran into.
> 
> > +            # we need to try to check if we're doing a domain transition
> > +            if ($sdmode eq "PERMITTING") {
> > +                do {
> > +                    $stuffed = <$FD>;
> > +                } until ((! $stuffed) || ($stuffed =~ /AppArmor|audit/));
> > +
> > +                if ($stuffed && ($stuffed =~ m/changing_profile/)) {
> > +                    $domainchange = "change";
> > +                    $stuffed      = undef;
> > +                }
> > +            }
> 
> When we were checking to see if the next message in the log was a domain
> transition hint so we could tell the difference between access() and exec()
> in complain mode, we stored the next log message in $stuffed...
> 
> >      open(LOG, $filename)
> >        or fatal_error "Can't read AppArmor logfile $filename: $!";
> > -    while (($_ = $stuffed) || ($_ = <LOG>)) {
> > +    while ($_ = <LOG>) {
> 
> ..and injected it back in here to keep from dropping the message if it 
> turned out to be something other than a changing_profile/"set profile" hint.
> 
> Here's a patch to clean up how we pull messages out of the log a little and
> should keep us from dropping those messages.
> 
> I haven't tested it in all the old vs. new + syslog vs. audit combinations, 
> but I think it'll work.  :)

Thanks jesse this does look better.

I've made a couple of small tweaks to these (attached):
 * pull out the regex patterns for log matching into a single place
 * fix a small problem with logmark/seenmark not being detected/set properly

Retested this (basic profile tests) against logfiles for:
  v2.1 syslog
  v2.1 audit
  v2.0 audit

thanks,
dom


> _______________________________________________
> Apparmor-dev mailing list
> Apparmor-dev at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rework_log_handling.diff
Type: text/x-patch
Size: 9165 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-dev/attachments/20070910/6077ff8f/rework_log_handling.bin

More information about the Apparmor-dev mailing list