On Wed, Mar 05, 2014 at 05:44:40PM -0800, Steve Beattie wrote: > This patch splits out the aa-enforce functionality into a separate > method in the aa_tools class. It also removes one last reference to > the no-longer-existent -r option in the aa-enforce manpage. > > Signed-off-by: Steve Beattie <[email protected]>
Acked-by: Seth Arnold <[email protected]> Small comment inline... Thanks > --- > utils/aa-enforce | 4 ++-- > utils/aa-enforce.pod | 2 +- > utils/apparmor/aa.py | 8 ++++---- > utils/apparmor/tools.py | 18 ++++++++++++++++++ > 4 files changed, 25 insertions(+), 7 deletions(-) > > Index: b/utils/aa-enforce > =================================================================== > --- a/utils/aa-enforce > +++ b/utils/aa-enforce > @@ -29,6 +29,6 @@ args = parser.parse_args() > # on the Tool class are implemented > args.remove = True > > -enforce = apparmor.tools.aa_tools('complain', args) > +tool = apparmor.tools.aa_tools('complain', args) > > -enforce.act() > +tool.cmd_enforce() > Index: b/utils/apparmor/tools.py > =================================================================== > --- a/utils/apparmor/tools.py > +++ b/utils/apparmor/tools.py > @@ -163,6 +163,24 @@ class aa_tools: > if cmd_info[0] != 0: > raise apparmor.AppArmorException(cmd_info[1]) > > + def cmd_enforce(self): > + for (program, profile) in self.get_next_to_profile(): > + > + apparmor.read_profiles() > + output_name = profile if program is None else program If there's more than one profile returned from get_next_to_profile() this will probably be annoyingly expensive. I started reading the depths of this and got worried about the action-at-a-distance going on, so, uh, I suspect we should leave it alone for now. But next time I'm looking for something to do, remind me of this. :) > + > + if not os.path.isfile(profile) or > apparmor.is_skippable_file(profile): > + aaui.UI_Info(_('Profile for %s not found, skipping') % > output_name) > + continue > + > + apparmor.set_enforce(profile, program) > + > + # FIXME: this should be a profile_reload function/method > + cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, > '-r', profile]) > + > + if cmd_info[0] != 0: > + raise apparmor.AppArmorException(cmd_info[1]) > + > def clean_profile(self, program): > filename = apparmor.get_profile_filename(program) > import apparmor.cleanprofile as cleanprofile > Index: b/utils/aa-enforce.pod > =================================================================== > --- a/utils/aa-enforce.pod > +++ b/utils/aa-enforce.pod > @@ -27,7 +27,7 @@ being disabled or I<complain> mode. > > =head1 SYNOPSIS > > -B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d > /path/to/profiles>] [I<-r>]> > +B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d > /path/to/profiles>] > > =head1 OPTIONS > > Index: b/utils/apparmor/aa.py > =================================================================== > --- a/utils/apparmor/aa.py > +++ b/utils/apparmor/aa.py > @@ -256,14 +256,14 @@ def enforce(path): > > def set_complain(filename, program): > """Sets the profile to complain mode""" > - aaui.UI_Info(_('Setting %s to complain mode.') % program) > + aaui.UI_Info(_('Setting %s to complain mode.') % (filename if program is > None else program)) > # a force-complain symlink is more packaging-friendly, but breaks caching > # create_symlink('force-complain', filename) > change_profile_flags(filename, program, 'complain', True) > > def set_enforce(filename, program): > """Sets the profile to enforce mode""" > - aaui.UI_Info(_('Setting %s to enforce mode.') % program) > + aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is > None else program)) > delete_symlink('force-complain', filename) > delete_symlink('disable', filename) > change_profile_flags(filename, program, 'complain', False) > @@ -592,7 +592,7 @@ def get_profile_flags(filename, program) > matches = RE_PROFILE_START.search(line).groups() > profile = matches[1] or matches[3] > flags = matches[6] > - if profile == program: > + if profile == program or program is None: > return flags > > raise AppArmorException(_('%s contains no profile') % filename) > @@ -644,7 +644,7 @@ def set_profile_flags(prof_filename, pro > binary = matches[1] > flag = matches[6] or 'flags=' > flags = matches[7] > - if binary == program: > + if binary == program or program is None: > if newflags: > line = '%s%s %s(%s) {%s\n' % (space, binary, > flag, newflags, comment) > else: > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor >
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
