Hello, On Wed, Jul 30, 2014 at 4:01 AM, Christian Boltz <[email protected]> wrote: > Hello, > > Am Mittwoch, 30. Juli 2014 schrieb Kshitij Gupta: >> As I remember it is by design to have the first parameter be "your" >> current profile which will be in the directory specified by -d > > Well, the current syntax allows the profile to be anywhere, independent > of -d ;-) > >> (which was not working as expected though) and have it merge with a >> new base and other profile. >> >> Thus the assumption here is you want your merged profile to be in your >> current directory of profiles (as specified by -d). >> >> Do you want to be able to merge just any two profiles from anywhere? >> The current method uses all the profiles and abstractions from -d >> directory to process profiles. Without it the merges can vary from >> system to system in case users have varying abstractions or >> something. > > Good question ;-) > > Currently aa-mergeprof merges into the profile given as first parameter, > whereever that file is. > > Maybe it would be a good idea to change the behaviour a bit: > - always merge to --dir (/etc/apparmor.d/ by default) > - this also means specifying the merge target (first parameter) is > superfluous and can/should be removed. > As a side effect, the usage would be more intuitive because you don't > need to remember which parameter is the merge target. Just specify > what you want to pull in, similar to "aa-logprof -f ..." > - and finally, it would be nice to allow an unlimited number of > parameters/profiles to merge ;-) (just run a loop over them ;-) >
I need to check if this will be a trivial change or require some restructuring. > So basically instead of > aa-mergeprof /etc/apparmor.d/bin.foo ~/newprofiles/bin.foo > you could just call > aa-mergeprof ~/newprofiles/bin.foo > > You could even do > aa-mergeprof ~/newprofiles/* > to merge all updated profiles into their /etc/apparmor.d/ counterpart. Interesting use-case. It'd be basically like a large-scale profile update. > > > The only disadvantage is that this won't be a real 3-way merge. > The most important features of 3-way-merge are: > - delete rules that were removed in the "upstream"/base profile > - handle conflicts for *x rules I think we have most of these features (in some capacity). You've probably tested the tool more than I have. > I slightly doubt this is something we need. (If someone disagrees or if > I forgot an important usecase, please speak up ;-) > > > Nevertheless, aa-mergeprof will need a working -d/--dir parameter, so > please also review my patch ;-) > The patch looks good. Acked-by: Kshitij Gupta <[email protected]>. Regards, Kshitij Gupta > > Regards, > > Christian Boltz > -- > Das hier ist eine Anfängerliste. > Ich will Dir auch erklären warum: > Den 'Linux Profi' gibt es IMHO nicht. > [Bernd Obermayr in suse-linux] > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
