[apparmor] [PATCH] Set flags for profiles represented by a glob
Goldwyn Rodrigues
rgoldwyn at suse.de
Fri Mar 23 01:28:12 UTC 2018
Getting and Setting profile represented by a glob does not work correctly
because they are checked for equality. Use a glob match to check for them.
Also, add a warning stating that the profile being set represents multiple programs.
traceroute is an example whose profile name is represented as
/usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue:
# aa-enforce /usr/sbin/traceroute
Setting /usr/sbin/traceroute to enforce mode.
ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile
Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 1e7f4bba..262c96f1 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -613,8 +613,9 @@ def get_profile_flags(filename, program):
if RE_PROFILE_START.search(line):
matches = parse_profile_start_line(line, filename)
profile = matches['profile']
+ profile_glob = AARE(profile, True)
flags = matches['flags']
- if profile == program or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None:
return flags
raise AppArmorException(_('%s contains no profile') % filename)
@@ -667,8 +668,11 @@ def set_profile_flags(prof_filename, program, newflags):
space = matches['leadingspace'] or ''
profile = matches['profile']
- if profile == program or program is None:
+ profile_glob = AARE(profile, True)
+ if (program is not None and profile_glob.match(program)) or program is None:
found = True
+ if program is not None and program != profile:
+ aaui.UI_Info('Warning: profile %s represents multiple programs' % profile)
header_data = {
'attachment': matches['attachment'] or '',
'flags': newflags,
More information about the AppArmor
mailing list