[apparmor] [PATCH] utils: Don't read apparmorfs/profiles when checking enabled status

Tyler Hicks tyhicks at canonical.com
Wed Dec 16 22:03:37 UTC 2015


`sudo aa-status --enabled` was exiting with error code '2' when AppArmor
was enabled but no profiles were loaded. However, the intent of the
command is to check if AppArmor is enabled and whether or not a profile
is loaded should not affect the exit code. This patch adjusts the logic
so that the lack of a loaded profile does not affect the exit code.

Additionally, since reading the list of loaded profiles requires root
privileges, `aa-status --enabled` had to be run with root privileges.
The list of loaded profiles no longer needs to be read so
`aa-status --enabled` can be run without root privileges on most newer
kernels.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---

Manually tested by bind mounting /dev/null on top of
/sys/kernel/security/apparmor/profiles.

Tyler

 utils/aa-status | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/utils/aa-status b/utils/aa-status
index 472b993..93acc2d 100755
--- a/utils/aa-status
+++ b/utils/aa-status
@@ -17,9 +17,8 @@ from apparmor.fail import enable_aa_exception_handler
 enable_aa_exception_handler()
 
 def cmd_enabled():
-    '''Returns error code if AppArmor is not enabled'''
-    if get_profiles() == {}:
-        sys.exit(2)
+    '''Exits with error code if AppArmor is not enabled'''
+    get_apparmor_status()
 
 def cmd_profiled():
     '''Prints the number of loaded profiles'''
@@ -72,11 +71,8 @@ def cmd_verbose():
     if profiles == {}:
         sys.exit(2)
 
-def get_profiles():
-    '''Fetch loaded profiles'''
-
-    profiles = {}
-
+def get_apparmor_status():
+    '''Detect AppArmor status and, if enabled, return the path to apparmorfs'''
     if os.path.exists("/sys/module/apparmor"):
         stdmsg("apparmor module is loaded.")
     else:
@@ -88,6 +84,14 @@ def get_profiles():
         errormsg("apparmor filesystem is not mounted.")
         sys.exit(3)
 
+    return apparmorfs
+
+def get_profiles():
+    '''Fetch loaded profiles'''
+
+    profiles = {}
+
+    apparmorfs = get_apparmor_status()
     apparmor_profiles = os.path.join(apparmorfs, "profiles")
     try:
         f = open(apparmor_profiles)
-- 
2.5.0




More information about the AppArmor mailing list