[apparmor] [patch] Allow aa-complain etc. to change profiles for non-existing binaries

[Christian Boltz]

Hello,

aa-complain, aa-enforce, aa-disable and aa-audit refused to change
profiles for non-existing binaries. This patch also allows paths
starting with /. This also makes it possible to use
    aa-complain '/{usr/,}bin/ping'
and
    aa-complain /etc/apparmor.d/bin.ping


This patch fixes https://bugs.launchpad.net/apparmor/+bug/1416346

Well, mostly - we still need to decide how we handle wildcards in
profile names:
    aa-complain ping
    aa-complain /usr/bin/ping
will still error out with "Profile not found" because it isn't an exact
match (and matching the wildcard would change more than the user wants).

Any opinions how to handle this?


Oh, and this patch also fixes the last failure in minitools_test.py.
(Should we rename it to test-minitools.py to include it in "make check"?)



[ 36-allow-aa-complain-for-non-existing-binary.diff ]

=== modified file utils/apparmor/tools.py
--- utils/apparmor/tools.py     2015-05-25 15:35:11.965277806 +0200
+++ utils/apparmor/tools.py     2015-05-25 17:15:20.813029494 +0200
@@ -57,7 +57,7 @@
 
             program = None
             profile = None
-            if os.path.exists(p):
+            if os.path.exists(p) or p.startswith('/'):
                 fq_path = apparmor.get_full_path(p).strip()
                 if os.path.commonprefix([apparmor.profile_dir, fq_path]) == apparmor.profile_dir:
                     program = None



Regards,

Christian Boltz
-- 
Was ist eine Diskette? Sind das die Dinger, die immer, wenn man sie
braucht irgendeinen Fehler haben?      [Timo Nentwig in suse-linux]