On 01/24/2017 06:13 AM, Christian Boltz wrote: > Well, up to 2.10 dbus rule handling in the tools was simply matching for > "dbus.*," and writing the line back to the profile without any changes. > I'm not sure if I'd call full support for dbus rules (including handling > of log events) a regression ;-) but I understand that it's annoying.
If a user can't use tools such as aa-enforce/aa-complain/aa-disable after updating to 2.11 because of this bug, it would certainly be a regression in the eyes of that user. It is too bad that all of the profiles have to be fully parsed just to use basic utilities that don't necessarily care about the rules inside of a profile. I do understand that it is very nice to have dbus rule support in the utils. Very nice job on that! > Writing a "real" parser in the python code would be quite some work, so > - how difficult would it be to make apparmor_parser's code to parse dbus > rules available via libapparmor? (Or a separate libapparmor_parser or > libapparmor_private if you worry about including too much in > libapparmor.) I think writing a more complete parser in the python code would be a mistake. Unfortunately, exposing the existing parser functionality in libapparmor is a lot of work. It took me months to move the parser's cache handling and policy loading functionality into libapparmor and I think that is likely easier than moving the policy parsing code to libapparmor. I think it is the right path forward for better integration with the utils but I don't think it is likely to happen in the near term. :/ I've got a patch in progress that adjusts the dbus rule regex to accept any order of dbus rule attributes at the expense of losing the ability to detect multiple, repeated attributes. What this means is that the following *valid* rule will parse: dbus path=/ bus=session, But that the following *invalid* rule will also parse: dbus bus=session bus=system, The utils will see that rule as 'dbus bus=system,' as the last match of a given attribute will be used. While not perfect, I think this is a better approach than refusing to parse valid profiles that have existed for quite a few years. What do you think? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1628286 Title: [utils] DBus rules enforce stricter ordering of dbus attributes To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1628286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
