[apparmor] [patch 06/11] utils: split out aa-enforce function

Seth Arnold seth.arnold at canonical.com
Thu Mar 6 07:06:21 UTC 2014


On Wed, Mar 05, 2014 at 05:44:40PM -0800, Steve Beattie wrote:
> This patch splits out the aa-enforce functionality into a separate
> method in the aa_tools class.  It also removes one last reference to
> the no-longer-existent -r option in the aa-enforce manpage.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Small comment inline...

Thanks

> ---
>  utils/aa-enforce        |    4 ++--
>  utils/aa-enforce.pod    |    2 +-
>  utils/apparmor/aa.py    |    8 ++++----
>  utils/apparmor/tools.py |   18 ++++++++++++++++++
>  4 files changed, 25 insertions(+), 7 deletions(-)
> 
> Index: b/utils/aa-enforce
> ===================================================================
> --- a/utils/aa-enforce
> +++ b/utils/aa-enforce
> @@ -29,6 +29,6 @@ args = parser.parse_args()
>  # on the Tool class are implemented
>  args.remove = True
>  
> -enforce = apparmor.tools.aa_tools('complain', args)
> +tool = apparmor.tools.aa_tools('complain', args)
>  
> -enforce.act()
> +tool.cmd_enforce()
> Index: b/utils/apparmor/tools.py
> ===================================================================
> --- a/utils/apparmor/tools.py
> +++ b/utils/apparmor/tools.py
> @@ -163,6 +163,24 @@ class aa_tools:
>              if cmd_info[0] != 0:
>                  raise apparmor.AppArmorException(cmd_info[1])
>  
> +    def cmd_enforce(self):
> +        for (program, profile) in self.get_next_to_profile():
> +
> +            apparmor.read_profiles()
> +            output_name = profile if program is None else program

If there's more than one profile returned from get_next_to_profile() this
will probably be annoyingly expensive. I started reading the depths of
this and got worried about the action-at-a-distance going on, so, uh, I
suspect we should leave it alone for now. But next time I'm looking for
something to do, remind me of this. :)

> +
> +            if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
> +                aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
> +                continue
> +
> +            apparmor.set_enforce(profile, program)
> +
> +            # FIXME: this should be a profile_reload function/method
> +            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
> +
> +            if cmd_info[0] != 0:
> +                raise apparmor.AppArmorException(cmd_info[1])
> +
>      def clean_profile(self, program):
>          filename = apparmor.get_profile_filename(program)
>          import apparmor.cleanprofile as cleanprofile
> Index: b/utils/aa-enforce.pod
> ===================================================================
> --- a/utils/aa-enforce.pod
> +++ b/utils/aa-enforce.pod
> @@ -27,7 +27,7 @@ being disabled or I<complain> mode.
>  
>  =head1 SYNOPSIS
>  
> -B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
> +B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>]
>  
>  =head1 OPTIONS
>  
> Index: b/utils/apparmor/aa.py
> ===================================================================
> --- a/utils/apparmor/aa.py
> +++ b/utils/apparmor/aa.py
> @@ -256,14 +256,14 @@ def enforce(path):
>  
>  def set_complain(filename, program):
>      """Sets the profile to complain mode"""
> -    aaui.UI_Info(_('Setting %s to complain mode.') % program)
> +    aaui.UI_Info(_('Setting %s to complain mode.') % (filename if program is None else program))
>      # a force-complain symlink is more packaging-friendly, but breaks caching
>      # create_symlink('force-complain', filename)
>      change_profile_flags(filename, program, 'complain', True)
>  
>  def set_enforce(filename, program):
>      """Sets the profile to enforce mode"""
> -    aaui.UI_Info(_('Setting %s to enforce mode.') % program)
> +    aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is None else program))
>      delete_symlink('force-complain', filename)
>      delete_symlink('disable', filename)
>      change_profile_flags(filename, program, 'complain', False)
> @@ -592,7 +592,7 @@ def get_profile_flags(filename, program)
>                  matches = RE_PROFILE_START.search(line).groups()
>                  profile = matches[1] or matches[3]
>                  flags = matches[6]
> -                if profile == program:
> +                if profile == program or program is None:
>                      return flags
>  
>      raise AppArmorException(_('%s contains no profile') % filename)
> @@ -644,7 +644,7 @@ def set_profile_flags(prof_filename, pro
>                          binary = matches[1]
>                          flag = matches[6] or 'flags='
>                          flags = matches[7]
> -                        if binary == program:
> +                        if binary == program or program is None:
>                              if newflags:
>                                  line = '%s%s %s(%s) {%s\n' % (space, binary, flag, newflags, comment)
>                              else:
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140305/99a778ff/attachment.pgp>


More information about the AppArmor mailing list