[tahoe-dev] apparmor profile, /bin/sh invocation from tahoe

Mike Kazantsev mk.fraggod at gmail.com
Sat Mar 17 14:42:08 UTC 2012


Hi, list!

Today I was writing apparmor profile for my tahoe setup and noted on
irc (#tahoe-lafs) that /bin/sh (symlinked to /bin/bash on my system)
and /usr/bin/file get forked-off at some point.
Apparently it was somewhat surprising behavior, so Zooko suggested
posting the cause on the list.

I've been able to track the invocations to standard python "platform"
module functions _syscmd_*, which are used in platform.machine()
(invokes 'os.popen("uname -p")') and platform.architecture()
('os.popen("file /usr/bin/python")').

Both are used in allmydata.get_platform() and platform.machine() is
used in _auto_deps.require_more().

Surprised me a bit as well, but apparently it's the easy and portable
way to tell these things, so I don't see that as an issue, but maybe
Zooko will be interested to know about it as well.

Aside from that, I'll probably refine apparmor profile a bit and post
to "Tips and Tricks" section of the trac wiki, as suggested.

I think such profile can be packaged in dpkgs for ubuntu, which also
uses apparmor, but I've never looked into how it's done there (maybe
profiles are in separate packages there, macros used for install,
paths, etc), so I'm in no position to advise such a thing.

Link to a profile in it's current form:
https://github.com/mk-fg/apparmor-profiles/blob/master/profiles/opt.bin.tahoe

Would appreciate any criticism or comments on what else might be invoked
or accessed at runtime.


-- 
Mike Kazantsev // fraggod.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20120317/8c41c64a/attachment.pgp>


More information about the tahoe-dev mailing list