[Apparmor-dev] Re: check for newer profile in repo before asking to
add new hats and execs
Dominic Reynolds
dreynolds at suse.de
Wed Sep 26 21:16:23 MDT 2007
+++ jesse michael [26/09/07 16:10 -0700]:
> Currently, logprof/genprof asks hat and execute transition questions before
> checking if there's a newer version of the profile in the repository
> which can result in just-added rules being erased when overwriting the
> local profile with an updated version from the repository.
>
> This adds checks for a newer profile in the repository before asking to
> add new hats or execute rules to a profile.
>
> It currently results in a repository check for every hat or exec in the
> system log whether the existing profile now satisfies the request or not
> which is not exactly ideal.
>
> check_repo_for_newer() should be changed to return whether the profile was
> updated so that the callers can be refactored to only perform the repo check
> if the current local profile does not satisfy the request.
>
>
> The code currently does something roughly along the lines of:
>
> check_repo_for_newer($profile);
> if (event_not_satisfied($profile, $event) {
> prompt_user_for_event($profile, $event);
> }
>
> It should probably be doing something like:
>
> if (event_not_satisfied($profile, $event) {
> if (!upgrade_to_newer($profile) || event_not_satisfied($profile, $event) {
> prompt_user_for_event($profile, $event);
> }
> }
>
> _______________________________________________
> Apparmor-dev mailing list
> Apparmor-dev at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-dev
Thanks jesse.
This looks good - I think we should check it in and then I'll look at
implemented the changes that you suggest next week.
-dom
More information about the Apparmor-dev
mailing list