Hello, this patch adds functions to unload and reload profiles to tools.py, and changes the code to use them.
Also add a comment to act() that it's only used by aa-cleanprof. Notes: - For some unknown reason, act() (used by aa-cleanprof) used apparmor_parser -R instead of -r and therefore in theory unloaded the profile. Fortunately this happened in a (IMHO) unused branch, so this should never happen in practise. (I added a "dead code walking..." exception in my local checkout, so I'll hopefully notice if I'm wrong ;-) - Speaking about dead code - - The new functions add the --base parameter to the apparmor_parser calls, which also means the disable directory inside the given profile dir (and not always /etc/apparmor.d/disable) is now honored. - Sidenote about aa-audit: if a disable symlink for a profile exists, aa-audit will still print "Setting $profile to audit mode.", but the parser won't load it into the kernel because of the disable symlink. While this is technically correct, is there a way to get a warning like "The profile is disabled, not loading it" from the parser? Since the patch contains a bugfix (--base), I propose it for trunk and 2.9 [ tools-functions-to-unload-reload-profile.diff ] === modified file 'utils/apparmor/tools.py' --- utils/apparmor/tools.py 2015-02-27 23:24:11 +0000 +++ utils/apparmor/tools.py 2015-02-28 18:57:01 +0000 @@ -76,6 +78,7 @@ yield (program, profile) def act(self): + # used by aa-cleanprof apparmor.read_profiles() for (program, profile) in self.get_next_to_profile(): @@ -109,10 +112,7 @@ # One simply does not walk in here! raise apparmor.AppArmorException('Unknown tool: %s' % self.name) - cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-R', filename]) - - if cmd_info[0] != 0: - raise apparmor.AppArmorException(cmd_info[1]) + self.reload_profile(profile) else: if '/' not in program: @@ -133,12 +135,7 @@ aaui.UI_Info(_('Disabling %s.') % output_name) self.disable_profile(profile) - # FIXME: this should be a profile_remove function/method - # FIXME: should ensure profile is loaded before unloading - cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-R', profile]) - - if cmd_info[0] != 0: - raise apparmor.AppArmorException(cmd_info[1]) + self.unload_profile(profile) def cmd_enforce(self): apparmor.read_profiles() @@ -153,11 +150,7 @@ apparmor.set_enforce(profile, program) - # FIXME: this should be a profile_reload function/method - cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile]) - - if cmd_info[0] != 0: - raise apparmor.AppArmorException(cmd_info[1]) + self.reload_profile(profile) def cmd_complain(self): apparmor.read_profiles() @@ -172,11 +165,7 @@ apparmor.set_complain(profile, program) - # FIXME: this should be a profile_reload function/method - cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile]) - - if cmd_info[0] != 0: - raise apparmor.AppArmorException(cmd_info[1]) + self.reload_profile(profile) def cmd_audit(self): apparmor.read_profiles() @@ -196,11 +185,7 @@ aaui.UI_Info(_('Removing audit mode from %s.') % output_name) apparmor.change_profile_flags(profile, program, 'audit', not self.remove) - # FIXME: this should be a profile_reload function/method - cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile]) - - if cmd_info[0] != 0: - raise apparmor.AppArmorException(cmd_info[1]) + self.reload_profile(profile) def cmd_autodep(self): apparmor.read_profiles() @@ -259,3 +244,16 @@ def disable_profile(self, filename): apparmor.create_symlink('disable', filename) + + def unload_profile(self, profile): + # FIXME: should ensure profile is loaded before unloading + cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-R', profile]) + + if cmd_info[0] != 0: + raise apparmor.AppArmorException(cmd_info[1]) + + def reload_profile(self, profile): + cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-r', profile]) + + if cmd_info[0] != 0: + raise apparmor.AppArmorException(cmd_info[1]) Regards, Christian Boltz -- Last I checked, developers were still human [Bryen M Yunashko in opensuse-project] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor