On 12/08/2011 09:54 AM, Seth Arnold wrote: > Is libapparmor similarly well-behaved without the parent field?
I hope so, as genprof is using it. You can give it a try yourself if you want. Do something along the line of Make sure firefox doesn't have a profile turn off printk ratelimiting (/proc/sys/kernel/printk_ratelimit) aa-genprof firefox run firefox quit genprof (we where just using it to create and load the complain profile) grep apparmor /var/log/syslog | sed 's/parent=[^ ]*//g' > log.txt aa-logprof -f log.txt I reran prof several times against such a log, trying different transitions. px, cx, named. And they all seemed to work. Not saying it doesn't need more testing but I was hoping people who want to object could do some testing and bring up cases that it failes :) > ------Original Message------ > From: John Johansen > Sender: [email protected] > To: apparmor > Subject: [apparmor] Remove parent=XXXX for logging format > Sent: Dec 8, 2011 7:17 AM > > I would like to propose we remove the parent=XXXX field from log messages. > This used to be used for fork tracking when we used a single > null-complain-profile. However we now use a unique profile name in place > of a single null-complain-profile > > eg. > profile="/usr/lib/firefox-8.0/firefox.sh//null-e2" > > this provides the parentage > /usr/lib/firefox-8.0/firefox.sh > > and a unique instance to track against > null-e2 > > > genprof/logprof where updated to support the new syntax several cycles > ago, and I have done a quick test of using them on a log with the > parent=XXXX field removed and everything seemed to work fine. > > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
