[apparmor] [patch 06/11] utils: split out aa-enforce function
Steve Beattie
steve at nxnw.org
Thu Mar 6 01:44:40 UTC 2014
This patch splits out the aa-enforce functionality into a separate
method in the aa_tools class. It also removes one last reference to
the no-longer-existent -r option in the aa-enforce manpage.
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
utils/aa-enforce | 4 ++--
utils/aa-enforce.pod | 2 +-
utils/apparmor/aa.py | 8 ++++----
utils/apparmor/tools.py | 18 ++++++++++++++++++
4 files changed, 25 insertions(+), 7 deletions(-)
Index: b/utils/aa-enforce
===================================================================
--- a/utils/aa-enforce
+++ b/utils/aa-enforce
@@ -29,6 +29,6 @@ args = parser.parse_args()
# on the Tool class are implemented
args.remove = True
-enforce = apparmor.tools.aa_tools('complain', args)
+tool = apparmor.tools.aa_tools('complain', args)
-enforce.act()
+tool.cmd_enforce()
Index: b/utils/apparmor/tools.py
===================================================================
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -163,6 +163,24 @@ class aa_tools:
if cmd_info[0] != 0:
raise apparmor.AppArmorException(cmd_info[1])
+ def cmd_enforce(self):
+ for (program, profile) in self.get_next_to_profile():
+
+ apparmor.read_profiles()
+ output_name = profile if program is None else program
+
+ if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
+ aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
+ continue
+
+ apparmor.set_enforce(profile, program)
+
+ # FIXME: this should be a profile_reload function/method
+ cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
+
+ if cmd_info[0] != 0:
+ raise apparmor.AppArmorException(cmd_info[1])
+
def clean_profile(self, program):
filename = apparmor.get_profile_filename(program)
import apparmor.cleanprofile as cleanprofile
Index: b/utils/aa-enforce.pod
===================================================================
--- a/utils/aa-enforce.pod
+++ b/utils/aa-enforce.pod
@@ -27,7 +27,7 @@ being disabled or I<complain> mode.
=head1 SYNOPSIS
-B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>]
=head1 OPTIONS
Index: b/utils/apparmor/aa.py
===================================================================
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -256,14 +256,14 @@ def enforce(path):
def set_complain(filename, program):
"""Sets the profile to complain mode"""
- aaui.UI_Info(_('Setting %s to complain mode.') % program)
+ aaui.UI_Info(_('Setting %s to complain mode.') % (filename if program is None else program))
# a force-complain symlink is more packaging-friendly, but breaks caching
# create_symlink('force-complain', filename)
change_profile_flags(filename, program, 'complain', True)
def set_enforce(filename, program):
"""Sets the profile to enforce mode"""
- aaui.UI_Info(_('Setting %s to enforce mode.') % program)
+ aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is None else program))
delete_symlink('force-complain', filename)
delete_symlink('disable', filename)
change_profile_flags(filename, program, 'complain', False)
@@ -592,7 +592,7 @@ def get_profile_flags(filename, program)
matches = RE_PROFILE_START.search(line).groups()
profile = matches[1] or matches[3]
flags = matches[6]
- if profile == program:
+ if profile == program or program is None:
return flags
raise AppArmorException(_('%s contains no profile') % filename)
@@ -644,7 +644,7 @@ def set_profile_flags(prof_filename, pro
binary = matches[1]
flag = matches[6] or 'flags='
flags = matches[7]
- if binary == program:
+ if binary == program or program is None:
if newflags:
line = '%s%s %s(%s) {%s\n' % (space, binary, flag, newflags, comment)
else:
More information about the AppArmor
mailing list