[apparmor] [patch] Let aa-audit print a warning if a profile is disabled

Kshitij Gupta kgupta8592 at gmail.com
Sat May 30 19:07:15 UTC 2015 

Hello,

On Mon, May 25, 2015 at 9:36 PM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> this patch lets aa-audit print a warning if a profile is disabled.
>
> Users might expect that setting a profile into audit mode also activates
> it (which shouldn't happen IMHO because the audit flag is not part of
> the enforce/complain/disable triple), so we should at least tell them.
>
> References: https://bugs.launchpad.net/apparmor/+bug/1429448
>
>
> I propose this patch for trunk and 2.9.
>
>
> [ 37-aa-audit-warn-about-disabled-profiles.diff ]
>
> === modified file utils/apparmor/tools.py
> --- utils/apparmor/tools.py     2015-05-25 17:29:05.067517743 +0200
> +++ utils/apparmor/tools.py     2015-05-25 17:59:05.837870272 +0200
> @@ -186,6 +186,11 @@
>                  aaui.UI_Info(_('Removing audit mode from %s.') %
> output_name)
>              apparmor.change_profile_flags(profile, program, 'audit', not
> self.remove)
>
> +            disable_link = '%s/disable/%s' % (apparmor.profile_dir,
> os.path.basename(profile))
> +
>
The aa.py code uses: re.sub('^%s' % profile_dir, '%s/%s' % (profile_dir,
subdir), path)
to generate disable_link.

I'd suggest we should change that code (which I think is probably a waste
of an re.sub call) to follow the above style? or you could do vice versa.

For fun a comparison of speed of the two methods[1]:
Python 2.7: re=2.87s cboltz=0.56s
Python 3.4: re=2.39s cboltz=1.09s

+            if os.path.exists(disable_link):
> +                aaui.UI_Info(_('\nWarning: the profile %s is disabled.
> Use aa-enforce or aa-complain to enable it.') % os.path.basename(profile))
> +
>
Also, the message should probably tell the profile for which _program_ is
disabled rather than give the filename? Giving program name would also be
useful for a user who would like to run aa-complain or aa-enforce
thereafter.

With the warning message modified suitably.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.

Thanks.

Regards,

Kshitij Gupta

[1]: timeit calls used for timing,
      cboltz- timeit.timeit("'%s/disable/%s' % (profile_dir,
os.path.basename(profile))", setup="import os;
profile_dir='/etc/apparmor.d';profile='/etc/apparmor.d/usr.sbin' ")

      re- timeit.timeit("re.sub('^%s' % profile_dir, '%s/%s' %
(profile_dir, subdir), path)", setup="import re;
profile_dir='/etc/apparmor.d';subdir='disable';path='/etc/apparmor.d/usr.sbin'")



>              self.reload_profile(profile)
>
>      def cmd_autodep(self):
>
>
>
> Regards,
>
> Christian Boltz
> --
> What are you doing?!? The message is over, GO AWAY!
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150531/71420c4f/attachment.html>

More information about the AppArmor mailing list