• anonym's avatar
    Rework how we test AppArmor denials. · 5cb5daf4
    anonym authored
    The basic idea is to first run a "I start monitoring the AppArmor log"
    step, which records the current time, and that any "AppArmor has
    denied" step run for the same profile later will only look at entries
    from that time and on. The wordings on the steps now make the
    scenarios a bit clearer, and we also don't have to clear syslog any
    more as an ugly workaround.
    Furthermore, this will bring us close to a clean solution of #9924,
    which will require us to run a sysctl command *before* anything that
    could generate the AppArmor log entries we're interested in. The "I
    monitor" step is a perfect candidate for that, wereas we before would
    need yet another step.