[apparmor] [patch] fix audit toggle for capability (when asking in logprof)
Christian Boltz
apparmor at cboltz.de
Tue Nov 11 20:53:32 UTC 2014
Hello,
while integrating the capability_rules class in aa.py, I noticed a bug:
When aa-logprof asks for adding capability rules, it also offers the
Audi(t) option. Unfortunately, this option does nothing ;-)
This patch fixes ask_the_question() so that it really ;-) allows to
switch the audit flag on and off. It also initializes the "audit"
variable to make sure the next capability doesn't inherit the audit flag
used for the previous capability.
[ aa.py-audit-capability.diff ]
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-11-09 00:33:40 +0000
+++ utils/apparmor/aa.py 2014-11-11 20:44:47 +0000
@@ -1561,6 +1570,7 @@
q.headers += [_('Severity'), severity]
audit_toggle = 0
+ audit = ''
q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
'CMD_ABORT', 'CMD_FINISHED']
@@ -1586,16 +1598,17 @@
done = True
break
- if ans == 'CMD_AUDIT':
+ if ans.startswith('CMD_AUDIT'):
audit_toggle = not audit_toggle
- audit = ''
if audit_toggle:
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_OFF',
- 'CMD_ABORT', 'CMD_FINISHED']
- audit = 'audit'
+ audit = 'audit '
+ audit_cmd = 'CMD_AUDIT_OFF'
else:
- q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
- 'CMD_ABORT', 'CMD_FINISHED', ]
+ audit = ''
+ audit_cmd = 'CMD_AUDIT_NEW'
+
+ q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', audit_cmd,
+ 'CMD_ABORT', 'CMD_FINISHED', ]
q.headers = [_('Profile'), combine_name(profile, hat),
_('Capability'), audit + capability,
Regards,
Christian Boltz
--
Was ist eine Diskette? Sind das die Dinger, die immer, wenn man sie
braucht irgendeinen Fehler haben? [Timo Nentwig in suse-linux]
More information about the AppArmor
mailing list