[apparmor] [patch] tools.py: add functions to unload and reload profiles

[Steve Beattie]

On Sat, Feb 28, 2015 at 08:36:41PM +0100, Christian Boltz wrote:
> this patch adds functions to unload and reload profiles to tools.py,
> and changes the code to use them.
> 
> Also add a comment to act() that it's only used by aa-cleanprof.
> 
> Notes:
> - For some unknown reason, act() (used by aa-cleanprof) used 
>   apparmor_parser -R instead of -r and therefore in theory unloaded 
>   the profile. Fortunately this happened in a (IMHO) unused branch,
>   so this should never happen in practise.
>   (I added a "dead code walking..." exception in my local checkout, so
>   I'll hopefully notice if I'm wrong ;-)

This is likely a historical artifact from when all the tools were routed
through act() which complicated its logic too much.

> - Speaking about dead code - 
> - The new functions add the --base parameter to the apparmor_parser 
>   calls, which also means the disable directory inside the given profile 
>   dir (and not always /etc/apparmor.d/disable) is now honored.
> - Sidenote about aa-audit: if a disable symlink for a profile exists,
>   aa-audit will still print "Setting $profile to audit mode.", but the
>   parser won't load it into the kernel because of the disable symlink.
>   While this is technically correct, is there a way to get a warning
>   like "The profile is disabled, not loading it" from the parser?
> 
> Since the patch contains a bugfix (--base), I propose it for trunk and 2.9
> 
> 
> [ tools-functions-to-unload-reload-profile.diff ]

Acked-by: Steve Beattie <steve at nxnw.org> for trunk and 2.9. Thanks.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150307/bbf47985/attachment.pgp>