[apparmor] [patch] aa-mergeprof: honor -d parameter

Christian Boltz apparmor at cboltz.de
Tue Jul 29 11:08:36 UTC 2014


while testing aa-mergeprof, I noticed that the -d/--dir parameter is 
ignored. This means the tempfile is created in /etc/apparmor.d, which 
breaks if args.merged is on another partition or aa-mergeprof is run as 

This is a 90% fix - it works in most cases, but still can break  if
the "merged" profile (first paramter) is in a different directory or
partition than what is specified in --dir.

We should probably change write_profile() (in aa.py) - instead of
    newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, dir=profile_dir)
it should use the dirname of prof_filename for dir=

=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof  2014-07-27 22:24:26 +0000
+++ utils/aa-mergeprof  2014-07-29 10:34:06 +0000
@@ -14,6 +14,7 @@
 # ----------------------------------------------------------------------
 import argparse
 import re
+import os
 import apparmor.aa
 import apparmor.aamode
@@ -24,0 +25,0 @@

 profiles = [args.mine, args.base, args.other]
+profiledir = args.dir
+if profiledir:
+    apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
+    if not os.path.isdir(apparmor.aa.profile_dir):
+        raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)
 def main():
     mergeprofiles = Merge(profiles)


Christian Boltz
