[apparmor] [patch] fix audit toggle for capability (when asking in logprof)

Steve Beattie steve at nxnw.org
Sat Nov 15 00:28:57 UTC 2014 

On Tue, Nov 11, 2014 at 09:53:32PM +0100, Christian Boltz wrote:
> while integrating the capability_rules class in aa.py, I noticed a bug:
> 
> When aa-logprof asks for adding capability rules, it also offers the 
> Audi(t) option. Unfortunately, this option does nothing ;-)
> 
> This patch fixes ask_the_question() so that it really ;-) allows to 
> switch the audit flag on and off. It also initializes the "audit" 
> variable to make sure the next capability doesn't inherit the audit flag
> used for the previous capability.

Acked-by: Steve Beattie <steve at nxnw.org>, thanks.

> [ aa.py-audit-capability.diff ]
> 
> === modified file 'utils/apparmor/aa.py'
> --- utils/apparmor/aa.py        2014-11-09 00:33:40 +0000
> +++ utils/apparmor/aa.py        2014-11-11 20:44:47 +0000
> @@ -1561,6 +1570,7 @@
>                      q.headers += [_('Severity'), severity]
>  
>                      audit_toggle = 0
> +                    audit = ''
>  
>                      q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
>                                        'CMD_ABORT', 'CMD_FINISHED']
> @@ -1586,16 +1598,17 @@
>                              done = True
>                              break
>  
> -                        if ans == 'CMD_AUDIT':
> +                        if ans.startswith('CMD_AUDIT'):
>                              audit_toggle = not audit_toggle
> -                            audit = ''
>                              if audit_toggle:
> -                                q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_OFF',
> -                                                  'CMD_ABORT', 'CMD_FINISHED']
> -                                audit = 'audit'
> +                                audit = 'audit '
> +                                audit_cmd = 'CMD_AUDIT_OFF'
>                              else:
> -                                q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
> -                                                  'CMD_ABORT', 'CMD_FINISHED', ]
> +                                audit = ''
> +                                audit_cmd = 'CMD_AUDIT_NEW'
> +
> +                            q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', audit_cmd,
> +                                              'CMD_ABORT', 'CMD_FINISHED', ]
>  
>                              q.headers = [_('Profile'), combine_name(profile, hat),
>                                              _('Capability'), audit + capability,
> 
> 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141114/00e04bcc/attachment.pgp>

More information about the AppArmor mailing list