[apparmor] [patch] Let aa-audit print a warning if a profile is disabled
Christian Boltz
apparmor at cboltz.de
Mon May 25 16:06:05 UTC 2015
Hello,
this patch lets aa-audit print a warning if a profile is disabled.
Users might expect that setting a profile into audit mode also activates
it (which shouldn't happen IMHO because the audit flag is not part of
the enforce/complain/disable triple), so we should at least tell them.
References: https://bugs.launchpad.net/apparmor/+bug/1429448
I propose this patch for trunk and 2.9.
[ 37-aa-audit-warn-about-disabled-profiles.diff ]
=== modified file utils/apparmor/tools.py
--- utils/apparmor/tools.py 2015-05-25 17:29:05.067517743 +0200
+++ utils/apparmor/tools.py 2015-05-25 17:59:05.837870272 +0200
@@ -186,6 +186,11 @@
aaui.UI_Info(_('Removing audit mode from %s.') % output_name)
apparmor.change_profile_flags(profile, program, 'audit', not self.remove)
+ disable_link = '%s/disable/%s' % (apparmor.profile_dir, os.path.basename(profile))
+
+ if os.path.exists(disable_link):
+ aaui.UI_Info(_('\nWarning: the profile %s is disabled. Use aa-enforce or aa-complain to enable it.') % os.path.basename(profile))
+
self.reload_profile(profile)
def cmd_autodep(self):
Regards,
Christian Boltz
--
What are you doing?!? The message is over, GO AWAY!
More information about the AppArmor
mailing list