[apparmor] [patch] fix minitools to work with multiple profiles at once

Christian Boltz apparmor at cboltz.de
Fri Feb 20 22:52:43 UTC 2015 

Hello,

this patch fixes the minitools (aa-audit, aa-complain, aa-enforce, 
aa-autodep) to work with multiple profiles at once.

The "trick" to fix the minitools is to call read_profiles() outside of 
the for loop.

References: https://bugs.launchpad.net/apparmor/+bug/1378095


Note: aa-autodep will still crash in one special case - reproducer:
- copy the sshd profile from the "inactive" dir to /etc/apparmor.d/
  (important: the profile has to contain hats!)
- run aa-autodep with multiple parameters:
      aa-autodep /bin/true /bin/false
but that's a) rare and b) something for another patch (or bugreport) ;-)
(basically this is caused by read_inactive_profiles() running multiple 
times [1])


BTW: the minitools and tools.py probably need some other changes:
- a parameter to disable reloading/unloading the profile would be nice
- maybe reloading/unloading should be disabled by default if -d was given?
- the read_profiles() call can probably be moved to __init__()
- some command-specific tasks should be moved from __init__() to the
  respective cmd_*() function
- some of the cmd_*() function share lots of code and can probably be
  merged without too many if blocks
but that's unrelated to this patch ;-)


I propose this patch for trunk and the 2.9 branch.


[ tools-fix-multi-profile.diff ]

=== modified file 'utils/apparmor/tools.py'
--- utils/apparmor/tools.py     2014-10-07 13:06:01 +0000
+++ utils/apparmor/tools.py     2015-02-20 21:55:40 +0000
@@ -83,12 +83,12 @@
             yield (program, profile)
 
     def act(self):
+        apparmor.read_profiles()
+
         for (program, profile) in self.get_next_to_profile():
             if program is None:
                 program = profile
 
-            apparmor.read_profiles()
-
             if not program or not(os.path.exists(program) or apparmor.profile_exists(program)):
                 if program and not program.startswith('/'):
                     program = aaui.UI_GetString(_('The given program cannot be found, please try with the fully qualified path name of the program: '), '')
@@ -148,9 +148,10 @@
                 raise apparmor.AppArmorException(cmd_info[1])
 
     def cmd_enforce(self):
+        apparmor.read_profiles()
+
         for (program, profile) in self.get_next_to_profile():
 
-            apparmor.read_profiles()
             output_name = profile if program is None else program
 
             if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
@@ -166,9 +167,10 @@
                 raise apparmor.AppArmorException(cmd_info[1])
 
     def cmd_complain(self):
+        apparmor.read_profiles()
+
         for (program, profile) in self.get_next_to_profile():
 
-            apparmor.read_profiles()
             output_name = profile if program is None else program
 
             if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
@@ -184,9 +186,10 @@
                 raise apparmor.AppArmorException(cmd_info[1])
 
     def cmd_audit(self):
+        apparmor.read_profiles()
+
         for (program, profile) in self.get_next_to_profile():
 
-            apparmor.read_profiles()
             output_name = profile if program is None else program
 
             if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
@@ -207,13 +210,13 @@
                 raise apparmor.AppArmorException(cmd_info[1])
 
     def cmd_autodep(self):
+        apparmor.read_profiles()
+
         for (program, profile) in self.get_next_to_profile():
             if not program:
                 aaui.UI_Info(_('Please pass an application to generate a profile for, not a profile itself - skipping %s.') % profile)
                 continue
 
-            apparmor.read_profiles()
-
             apparmor.check_qualifiers(program)
 
             if os.path.exists(apparmor.get_profile_filename(program)) and not self.force:



Regards,

Christian Boltz

[1] proof-of-concept patch - fixes the problem, but I'm not sure if I 
    want it as final solution (opinions?)

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2015-02-20 20:36:55 +0000
+++ utils/apparmor/aa.py        2015-02-20 22:48:43 +0000
@@ -2593,7 +2593,15 @@
             else:
                 read_profile(profile_dir + '/' + file, True)
 
+inactive_profiles_already_read = False
+
 def read_inactive_profiles():
+    global inactive_profiles_already_read
+    if inactive_profiles_already_read:
+        print("read_inactive_profiles called a second time, IGNORING")
+        return
+    inactive_profiles_already_read = True
+
     if not os.path.exists(extra_profile_dir):
         return None
     try:


-- 
> welche log willst sehen ???
Das ist die Postfixbuch-Users Liste, vielleicht das Log von,
hmmm, Postfix? Nur so ne Idee.
[> R. Wilhelm und Ralf Hildebrandt in postfixbuch-users]

More information about the AppArmor mailing list