This patch splits out the aa-enforce functionality into a separate method in the aa_tools class. It also removes one last reference to the no-longer-existent -r option in the aa-enforce manpage.
Signed-off-by: Steve Beattie <[email protected]> --- utils/aa-enforce | 4 ++-- utils/aa-enforce.pod | 2 +- utils/apparmor/aa.py | 8 ++++---- utils/apparmor/tools.py | 18 ++++++++++++++++++ 4 files changed, 25 insertions(+), 7 deletions(-) Index: b/utils/aa-enforce =================================================================== --- a/utils/aa-enforce +++ b/utils/aa-enforce @@ -29,6 +29,6 @@ args = parser.parse_args() # on the Tool class are implemented args.remove = True -enforce = apparmor.tools.aa_tools('complain', args) +tool = apparmor.tools.aa_tools('complain', args) -enforce.act() +tool.cmd_enforce() Index: b/utils/apparmor/tools.py =================================================================== --- a/utils/apparmor/tools.py +++ b/utils/apparmor/tools.py @@ -163,6 +163,24 @@ class aa_tools: if cmd_info[0] != 0: raise apparmor.AppArmorException(cmd_info[1]) + def cmd_enforce(self): + for (program, profile) in self.get_next_to_profile(): + + apparmor.read_profiles() + output_name = profile if program is None else program + + if not os.path.isfile(profile) or apparmor.is_skippable_file(profile): + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) + continue + + apparmor.set_enforce(profile, program) + + # FIXME: this should be a profile_reload function/method + cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile]) + + if cmd_info[0] != 0: + raise apparmor.AppArmorException(cmd_info[1]) + def clean_profile(self, program): filename = apparmor.get_profile_filename(program) import apparmor.cleanprofile as cleanprofile Index: b/utils/aa-enforce.pod =================================================================== --- a/utils/aa-enforce.pod +++ b/utils/aa-enforce.pod @@ -27,7 +27,7 @@ being disabled or I<complain> mode. =head1 SYNOPSIS -B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]> +B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] =head1 OPTIONS Index: b/utils/apparmor/aa.py =================================================================== --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -256,14 +256,14 @@ def enforce(path): def set_complain(filename, program): """Sets the profile to complain mode""" - aaui.UI_Info(_('Setting %s to complain mode.') % program) + aaui.UI_Info(_('Setting %s to complain mode.') % (filename if program is None else program)) # a force-complain symlink is more packaging-friendly, but breaks caching # create_symlink('force-complain', filename) change_profile_flags(filename, program, 'complain', True) def set_enforce(filename, program): """Sets the profile to enforce mode""" - aaui.UI_Info(_('Setting %s to enforce mode.') % program) + aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is None else program)) delete_symlink('force-complain', filename) delete_symlink('disable', filename) change_profile_flags(filename, program, 'complain', False) @@ -592,7 +592,7 @@ def get_profile_flags(filename, program) matches = RE_PROFILE_START.search(line).groups() profile = matches[1] or matches[3] flags = matches[6] - if profile == program: + if profile == program or program is None: return flags raise AppArmorException(_('%s contains no profile') % filename) @@ -644,7 +644,7 @@ def set_profile_flags(prof_filename, pro binary = matches[1] flag = matches[6] or 'flags=' flags = matches[7] - if binary == program: + if binary == program or program is None: if newflags: line = '%s%s %s(%s) {%s\n' % (space, binary, flag, newflags, comment) else: -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
