[apparmor] [patch] aa-mergeprof: honor -d parameter

Christian Boltz apparmor at cboltz.de
Tue Jul 29 11:08:36 UTC 2014


while testing aa-mergeprof, I noticed that the -d/--dir parameter is 
ignored. This means the tempfile is created in /etc/apparmor.d, which 
breaks if args.merged is on another partition or aa-mergeprof is run as 

This is a 90% fix - it works in most cases, but still can break  if
the "merged" profile (first paramter) is in a different directory or
partition than what is specified in --dir.

We should probably change write_profile() (in aa.py) - instead of
    newprof = tempfile.NamedTemporaryFile('w', suffix='~', delete=False, dir=profile_dir)
it should use the dirname of prof_filename for dir=

=== modified file 'utils/aa-mergeprof'
--- utils/aa-mergeprof  2014-07-27 22:24:26 +0000
+++ utils/aa-mergeprof  2014-07-29 10:34:06 +0000
@@ -14,6 +14,7 @@
 # ----------------------------------------------------------------------
 import argparse
 import re
+import os
 import apparmor.aa
 import apparmor.aamode
@@ -24,0 +25,0 @@

 profiles = [args.mine, args.base, args.other]
+profiledir = args.dir
+if profiledir:
+    apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
+    if not os.path.isdir(apparmor.aa.profile_dir):
+        raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)
 def main():
     mergeprofiles = Merge(profiles)


Christian Boltz
Wenn derjenige hinterher herumjammert, "Zwar hängt jetzt das Bild, aber
ich habe ein Loch in der Wand und ein Nagel steht hervor...", dann habe
ich große Zweifel daran ob es so gut war, dass derjenige einen Hammer
und Nagel in die Hand bekommen hat. [Igor Sverkos in postfixbuch-users]

More information about the AppArmor mailing list