[apparmor] [patch 07/11] utils: split out aa-complain function

Steve Beattie steve at nxnw.org
Thu Mar 6 01:44:41 UTC 2014 

This patch creates a separate tool.cmd_complain function, as well as
removes the -r remove option, to match aa-enforce and aa-disable.
It also cleans up some bits in aa-enforce now that aa-complain and
aa-enforce have been separated.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 utils/aa-complain       |    5 ++---
 utils/aa-complain.pod   |    9 +--------
 utils/aa-enforce        |    6 +-----
 utils/apparmor/tools.py |   26 +++++++++++++++++++-------
 4 files changed, 23 insertions(+), 23 deletions(-)

Index: b/utils/aa-complain
===================================================================
--- a/utils/aa-complain
+++ b/utils/aa-complain
@@ -22,10 +22,9 @@ _ = init_translation()
 
 parser = argparse.ArgumentParser(description=_('Switch the given program to complain mode'))
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
-parser.add_argument('-r', '--remove', action='store_true', help=_('remove complain mode'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
 args = parser.parse_args()
 
-complain = apparmor.tools.aa_tools('complain', args)
+tool = apparmor.tools.aa_tools('complain', args)
 #print(args)
-complain.act()
+tool.cmd_complain()
Index: b/utils/apparmor/tools.py
===================================================================
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -30,7 +30,7 @@ class aa_tools:
         self.check_profile_dir()
         self.silent = None
 
-        if tool_name in ['audit', 'complain']:
+        if tool_name in ['audit']:
             self.remove = args.remove
         elif tool_name == 'disable':
             self.disabledir = apparmor.profile_dir + '/disable'
@@ -122,12 +122,6 @@ class aa_tools:
                             aaui.UI_Info(_('Removing audit mode from %s.') % program)
                         apparmor.change_profile_flags(filename, program, 'audit', not self.remove)
 
-                    elif self.name == 'complain':
-                        if not self.remove:
-                            apparmor.set_complain(filename, program)
-                        else:
-                            apparmor.set_enforce(filename, program)
-                        #apparmor.set_profile_flags(filename, self.name)
                     else:
                         # One simply does not walk in here!
                         raise apparmor.AppArmorException('Unknown tool: %s' % self.name)
@@ -177,6 +171,24 @@ class aa_tools:
 
             # FIXME: this should be a profile_reload function/method
             cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
+
+            if cmd_info[0] != 0:
+                raise apparmor.AppArmorException(cmd_info[1])
+
+    def cmd_complain(self):
+        for (program, profile) in self.get_next_to_profile():
+
+            apparmor.read_profiles()
+            output_name = profile if program is None else program
+
+            if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
+                aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
+                continue
+
+            apparmor.set_complain(profile, program)
+
+            # FIXME: this should be a profile_reload function/method
+            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
 
             if cmd_info[0] != 0:
                 raise apparmor.AppArmorException(cmd_info[1])
Index: b/utils/aa-enforce
===================================================================
--- a/utils/aa-enforce
+++ b/utils/aa-enforce
@@ -24,11 +24,7 @@ parser = argparse.ArgumentParser(descrip
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
 args = parser.parse_args()
-# Set the remove flag since complain = !enforce
-# XXX remove this entirely once conversion to individual cmd methods
-# on the Tool class are implemented
-args.remove = True
 
-tool = apparmor.tools.aa_tools('complain', args)
+tool = apparmor.tools.aa_tools('enforce', args)
 
 tool.cmd_enforce()
Index: b/utils/aa-complain.pod
===================================================================
--- a/utils/aa-complain.pod
+++ b/utils/aa-complain.pod
@@ -26,7 +26,7 @@ aa-complain - set an AppArmor security p
 
 =head1 SYNOPSIS
 
-B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>]
 
 =head1 OPTIONS
 
@@ -35,19 +35,12 @@ B<-d --dir  /path/to/profiles>
    Specifies where to look for the AppArmor security profile set.
    Defaults to /etc/apparmor.d.
 
-B<-r --remove>
-
-   Removes the complain mode for the profile.  
-
 =head1 DESCRIPTION
 
 B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode.
 In this mode security policy is not enforced but rather access violations
 are logged to the system log.
 
-The I<--remove> option can be used to remove the complain mode for the profile,
-setting it to enforce mode by default.
-
 =head1 BUGS
 
 If you find any bugs, please report them at

More information about the AppArmor mailing list