[apparmor] [patch] Let aa-audit print a warning if a profile is disabled
Kshitij Gupta
kgupta8592 at gmail.com
Sat May 30 19:07:15 UTC 2015
Hello,
On Mon, May 25, 2015 at 9:36 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> Hello,
>
> this patch lets aa-audit print a warning if a profile is disabled.
>
> Users might expect that setting a profile into audit mode also activates
> it (which shouldn't happen IMHO because the audit flag is not part of
> the enforce/complain/disable triple), so we should at least tell them.
>
> References: https://bugs.launchpad.net/apparmor/+bug/1429448
>
>
> I propose this patch for trunk and 2.9.
>
>
> [ 37-aa-audit-warn-about-disabled-profiles.diff ]
>
> === modified file utils/apparmor/tools.py
> --- utils/apparmor/tools.py 2015-05-25 17:29:05.067517743 +0200
> +++ utils/apparmor/tools.py 2015-05-25 17:59:05.837870272 +0200
> @@ -186,6 +186,11 @@
> aaui.UI_Info(_('Removing audit mode from %s.') %
> output_name)
> apparmor.change_profile_flags(profile, program, 'audit', not
> self.remove)
>
> + disable_link = '%s/disable/%s' % (apparmor.profile_dir,
> os.path.basename(profile))
> +
>
The aa.py code uses: re.sub('^%s' % profile_dir, '%s/%s' % (profile_dir,
subdir), path)
to generate disable_link.
I'd suggest we should change that code (which I think is probably a waste
of an re.sub call) to follow the above style? or you could do vice versa.
For fun a comparison of speed of the two methods[1]:
Python 2.7: re=2.87s cboltz=0.56s
Python 3.4: re=2.39s cboltz=1.09s
+ if os.path.exists(disable_link):
> + aaui.UI_Info(_('\nWarning: the profile %s is disabled.
> Use aa-enforce or aa-complain to enable it.') % os.path.basename(profile))
> +
>
Also, the message should probably tell the profile for which _program_ is
disabled rather than give the filename? Giving program name would also be
useful for a user who would like to run aa-complain or aa-enforce
thereafter.
With the warning message modified suitably.
Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
Thanks.
Regards,
Kshitij Gupta
[1]: timeit calls used for timing,
cboltz- timeit.timeit("'%s/disable/%s' % (profile_dir,
os.path.basename(profile))", setup="import os;
profile_dir='/etc/apparmor.d';profile='/etc/apparmor.d/usr.sbin' ")
re- timeit.timeit("re.sub('^%s' % profile_dir, '%s/%s' %
(profile_dir, subdir), path)", setup="import re;
profile_dir='/etc/apparmor.d';subdir='disable';path='/etc/apparmor.d/usr.sbin'")
> self.reload_profile(profile)
>
> def cmd_autodep(self):
>
>
>
> Regards,
>
> Christian Boltz
> --
> What are you doing?!? The message is over, GO AWAY!
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150531/71420c4f/attachment.html>
More information about the AppArmor
mailing list