[apparmor] [patch] tools.py: add functions to unload and reload profiles

Christian Boltz apparmor at cboltz.de
Sat Feb 28 19:36:41 UTC 2015 

Hello,

this patch adds functions to unload and reload profiles to tools.py,
and changes the code to use them.

Also add a comment to act() that it's only used by aa-cleanprof.

Notes:
- For some unknown reason, act() (used by aa-cleanprof) used 
  apparmor_parser -R instead of -r and therefore in theory unloaded 
  the profile. Fortunately this happened in a (IMHO) unused branch,
  so this should never happen in practise.
  (I added a "dead code walking..." exception in my local checkout, so
  I'll hopefully notice if I'm wrong ;-)
- Speaking about dead code - 
- The new functions add the --base parameter to the apparmor_parser 
  calls, which also means the disable directory inside the given profile 
  dir (and not always /etc/apparmor.d/disable) is now honored.
- Sidenote about aa-audit: if a disable symlink for a profile exists,
  aa-audit will still print "Setting $profile to audit mode.", but the
  parser won't load it into the kernel because of the disable symlink.
  While this is technically correct, is there a way to get a warning
  like "The profile is disabled, not loading it" from the parser?

Since the patch contains a bugfix (--base), I propose it for trunk and 2.9


[ tools-functions-to-unload-reload-profile.diff ]

=== modified file 'utils/apparmor/tools.py'
--- utils/apparmor/tools.py     2015-02-27 23:24:11 +0000
+++ utils/apparmor/tools.py     2015-02-28 18:57:01 +0000
@@ -76,6 +78,7 @@
             yield (program, profile)
 
     def act(self):
+        # used by aa-cleanprof
         apparmor.read_profiles()
 
         for (program, profile) in self.get_next_to_profile():
@@ -109,10 +112,7 @@
                         # One simply does not walk in here!
                         raise apparmor.AppArmorException('Unknown tool: %s' % self.name)
 
-                    cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-R', filename])
-
-                    if cmd_info[0] != 0:
-                        raise apparmor.AppArmorException(cmd_info[1])
+                    self.reload_profile(profile)
 
             else:
                 if '/' not in program:
@@ -133,12 +135,7 @@
             aaui.UI_Info(_('Disabling %s.') % output_name)
             self.disable_profile(profile)
 
-            # FIXME: this should be a profile_remove function/method
-            # FIXME: should ensure profile is loaded before unloading
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-R', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.unload_profile(profile)
 
     def cmd_enforce(self):
         apparmor.read_profiles()
@@ -153,11 +150,7 @@
 
             apparmor.set_enforce(profile, program)
 
-            # FIXME: this should be a profile_reload function/method
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.reload_profile(profile)
 
     def cmd_complain(self):
         apparmor.read_profiles()
@@ -172,11 +165,7 @@
 
             apparmor.set_complain(profile, program)
 
-            # FIXME: this should be a profile_reload function/method
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.reload_profile(profile)
 
     def cmd_audit(self):
         apparmor.read_profiles()
@@ -196,11 +185,7 @@
                 aaui.UI_Info(_('Removing audit mode from %s.') % output_name)
             apparmor.change_profile_flags(profile, program, 'audit', not self.remove)
 
-            # FIXME: this should be a profile_reload function/method
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.reload_profile(profile)
 
     def cmd_autodep(self):
         apparmor.read_profiles()
@@ -259,3 +244,16 @@
 
     def disable_profile(self, filename):
         apparmor.create_symlink('disable', filename)
+
+    def unload_profile(self, profile):
+        # FIXME: should ensure profile is loaded before unloading
+        cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-R', profile])
+
+        if cmd_info[0] != 0:
+            raise apparmor.AppArmorException(cmd_info[1])
+
+    def reload_profile(self, profile):
+        cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-r', profile])
+
+        if cmd_info[0] != 0:
+            raise apparmor.AppArmorException(cmd_info[1])
 


Regards,

Christian Boltz
-- 
Last I checked, developers were still human
[Bryen M Yunashko in opensuse-project]

More information about the AppArmor mailing list