<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 25, 2015 at 9:36 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
this patch lets aa-audit print a warning if a profile is disabled.<br>
<br>
Users might expect that setting a profile into audit mode also activates<br>
it (which shouldn't happen IMHO because the audit flag is not part of<br>
the enforce/complain/disable triple), so we should at least tell them.<br>
<br>
References: <a href="https://bugs.launchpad.net/apparmor/+bug/1429448" target="_blank">https://bugs.launchpad.net/apparmor/+bug/1429448</a><br>
<br>
<br>
I propose this patch for trunk and 2.9.<br>
<br>
<br>
[ 37-aa-audit-warn-about-disabled-profiles.diff ]<br>
<br>
=== modified file utils/apparmor/tools.py<br>
--- utils/apparmor/tools.py 2015-05-25 17:29:05.067517743 +0200<br>
+++ utils/apparmor/tools.py 2015-05-25 17:59:05.837870272 +0200<br>
@@ -186,6 +186,11 @@<br>
aaui.UI_Info(_('Removing audit mode from %s.') % output_name)<br>
apparmor.change_profile_flags(profile, program, 'audit', not self.remove)<br>
<br>
+ disable_link = '%s/disable/%s' % (apparmor.profile_dir, os.path.basename(profile))<br>
+<br></blockquote><div>The aa.py code uses: re.sub('^%s' % profile_dir, '%s/%s' % (profile_dir, subdir), path)<br></div><div>to generate disable_link.<br><br>I'd suggest we should change that code (which I think is probably a waste of an re.sub call) to follow the above style? or you could do vice versa.<br><br></div><div>For fun a comparison of speed of the two methods[1]:<br></div><div>Python 2.7: re=2.87s cboltz=0.56s<br></div><div>Python 3.4: re=2.39s cboltz=1.09s<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+ if os.path.exists(disable_link):<br>
+ aaui.UI_Info(_('\nWarning: the profile %s is disabled. Use aa-enforce or aa-complain to enable it.') % os.path.basename(profile))<br>
+<br></blockquote><div>Also, the message should probably tell the profile for which _program_ is disabled rather than give the filename? Giving program name would also be useful for a user who would like to run aa-complain or aa-enforce thereafter.<br><br></div><div>With the warning message modified suitably.<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>. <br></div><div><br></div><div>Thanks.<br><br></div><div>Regards,<br><br></div><div>Kshitij Gupta<br><br></div><div>[1]: timeit calls used for timing,<br></div><div> cboltz- timeit.timeit("'%s/disable/%s' % (profile_dir, os.path.basename(profile))", setup="import os; profile_dir='/etc/apparmor.d';profile='/etc/apparmor.d/usr.sbin' ")<br><br></div><div> re- timeit.timeit("re.sub('^%s' % profile_dir, '%s/%s' % (profile_dir, subdir), path)", setup="import re; profile_dir='/etc/apparmor.d';subdir='disable';path='/etc/apparmor.d/usr.sbin'")<br></div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
self.reload_profile(profile)<br>
<br>
def cmd_autodep(self):<br>
<br>
<br>
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
What are you doing?!? The message is over, GO AWAY!<br>
<br>
<br>
--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
</font></span></blockquote></div><br></div></div>