[apparmor] [patch] utils: split out disable functionality in apparmor/tools.py
Christian Boltz
apparmor at cboltz.de
Fri Feb 28 20:34:51 UTC 2014
Hello,
Am Montag, 24. Februar 2014 schrieb Steve Beattie:
> This patch splits out the disable functionality from the
> apparmor/tools.py:act() method into a separate cmd_disable()
> method. The intent is to unwind the logic in act() into smaller, more
> digestible chunks, while sharing commonality via helper functions
> (e.g. the added get_next_to_profile() function).
Sounds like a good idea.
> I should note that one side effect is that this patch effectively
> neuters the -r (revert) option for aa-disable. I don't really like
> that option (I'd rather point people at using aa-enforce to undo
> aa-disable). I can submit a patch that either removes the option or
> adds the functionality if we desire it.
The -r option was probably inspired by the -r option of aa-complain and
aa-audit, but I understand your POV that it might be confusing in a
triple-state case (enforce/complain/disabled).
Anyway, either remove the -r option or make sure it's working ;-)
> --- a/utils/apparmor/tools.py
> +++ b/utils/apparmor/tools.py
...
> + def cmd_disable(self):
> + for program in self.get_next_to_profile():
> + filename = apparmor.get_profile_filename(program)
> + print('profile %s: filename is %s' % (program, filename))
NAK for the "print" line ;-) - it looks like forgotten debugging code.
Otherwise the patch looks good.
With the "print" removed, and a promise to fix or remove the -r option
in a follow-up patch,
Acked-by: Christian Boltz <apparmor at cboltz.de>
Regards,
Christian Boltz
--
[20:21] <jospoortvliet> ok but IF we do that, note that you'll have to
cook for 50+ people. [...]
[20:21] <suseROCKs> jospoortvliet, so you're saying you need 50
microwaves??? :-)
[from #opensuse-project]
More information about the AppArmor
mailing list