[apparmor] [patch 07/11] utils: split out aa-complain function
Seth Arnold
seth.arnold at canonical.com
Thu Mar 6 07:16:17 UTC 2014
On Wed, Mar 05, 2014 at 05:44:41PM -0800, Steve Beattie wrote:
> This patch creates a separate tool.cmd_complain function, as well as
> removes the -r remove option, to match aa-enforce and aa-disable.
> It also cleans up some bits in aa-enforce now that aa-complain and
> aa-enforce have been separated.
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> utils/aa-complain | 5 ++---
> utils/aa-complain.pod | 9 +--------
> utils/aa-enforce | 6 +-----
> utils/apparmor/tools.py | 26 +++++++++++++++++++-------
> 4 files changed, 23 insertions(+), 23 deletions(-)
>
> Index: b/utils/aa-complain
> ===================================================================
> --- a/utils/aa-complain
> +++ b/utils/aa-complain
> @@ -22,10 +22,9 @@ _ = init_translation()
>
> parser = argparse.ArgumentParser(description=_('Switch the given program to complain mode'))
> parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
> -parser.add_argument('-r', '--remove', action='store_true', help=_('remove complain mode'))
> parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
> args = parser.parse_args()
>
> -complain = apparmor.tools.aa_tools('complain', args)
> +tool = apparmor.tools.aa_tools('complain', args)
> #print(args)
> -complain.act()
> +tool.cmd_complain()
> Index: b/utils/apparmor/tools.py
> ===================================================================
> --- a/utils/apparmor/tools.py
> +++ b/utils/apparmor/tools.py
> @@ -30,7 +30,7 @@ class aa_tools:
> self.check_profile_dir()
> self.silent = None
>
> - if tool_name in ['audit', 'complain']:
> + if tool_name in ['audit']:
> self.remove = args.remove
> elif tool_name == 'disable':
> self.disabledir = apparmor.profile_dir + '/disable'
> @@ -122,12 +122,6 @@ class aa_tools:
> aaui.UI_Info(_('Removing audit mode from %s.') % program)
> apparmor.change_profile_flags(filename, program, 'audit', not self.remove)
>
> - elif self.name == 'complain':
> - if not self.remove:
> - apparmor.set_complain(filename, program)
> - else:
> - apparmor.set_enforce(filename, program)
> - #apparmor.set_profile_flags(filename, self.name)
> else:
> # One simply does not walk in here!
> raise apparmor.AppArmorException('Unknown tool: %s' % self.name)
> @@ -177,6 +171,24 @@ class aa_tools:
>
> # FIXME: this should be a profile_reload function/method
> cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
> +
> + if cmd_info[0] != 0:
> + raise apparmor.AppArmorException(cmd_info[1])
> +
> + def cmd_complain(self):
> + for (program, profile) in self.get_next_to_profile():
> +
> + apparmor.read_profiles()
> + output_name = profile if program is None else program
> +
> + if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
> + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
> + continue
> +
> + apparmor.set_complain(profile, program)
> +
> + # FIXME: this should be a profile_reload function/method
> + cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
>
> if cmd_info[0] != 0:
> raise apparmor.AppArmorException(cmd_info[1])
> Index: b/utils/aa-enforce
> ===================================================================
> --- a/utils/aa-enforce
> +++ b/utils/aa-enforce
> @@ -24,11 +24,7 @@ parser = argparse.ArgumentParser(descrip
> parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
> parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
> args = parser.parse_args()
> -# Set the remove flag since complain = !enforce
> -# XXX remove this entirely once conversion to individual cmd methods
> -# on the Tool class are implemented
> -args.remove = True
>
> -tool = apparmor.tools.aa_tools('complain', args)
> +tool = apparmor.tools.aa_tools('enforce', args)
>
> tool.cmd_enforce()
> Index: b/utils/aa-complain.pod
> ===================================================================
> --- a/utils/aa-complain.pod
> +++ b/utils/aa-complain.pod
> @@ -26,7 +26,7 @@ aa-complain - set an AppArmor security p
>
> =head1 SYNOPSIS
>
> -B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
> +B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>]
>
> =head1 OPTIONS
>
> @@ -35,19 +35,12 @@ B<-d --dir /path/to/profiles>
> Specifies where to look for the AppArmor security profile set.
> Defaults to /etc/apparmor.d.
>
> -B<-r --remove>
> -
> - Removes the complain mode for the profile.
> -
> =head1 DESCRIPTION
>
> B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode.
> In this mode security policy is not enforced but rather access violations
> are logged to the system log.
>
> -The I<--remove> option can be used to remove the complain mode for the profile,
> -setting it to enforce mode by default.
> -
> =head1 BUGS
>
> If you find any bugs, please report them at
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140305/0e147838/attachment-0001.pgp>
More information about the AppArmor
mailing list