Hello, In the 2.10 cycle, Christian added improved exception handling support to the python tools, to improve the output and assist in diagnosing problems. To do so, this meant importing a module from the apparmor python module (python3-apparmor). For most of the python utilities, other portions of the apparmor python module are already imported, so this wasn't a dependency change. However, the exception to that is aa-status(8), which intentionally did not depend it, so as to still be usable in minimal environments, where administrators wish to install as little extraneous as possible.
In Ubuntu, aa-status is used as part of the generated dh_apparmor postinst snippet to determine whether apparmor is enabled, and if so, to go ahead and load the specified apparmor policy. When attempting to land apparmor 2.10 in Ubuntu, this caused this snippet to fail due to python3-apparmor not being installed by default. (Hooray for autopkgtests actually catching it!) The following patch attempts to address this by having aa-status attempt to import the fancier exception handling code, but continue on if it fails and fall back to using regular python exceptions. I'm of two minds about this patch. On the one hand, the issue is related directly to a quirk of how apparmor is packaged for debian/ubuntu, and thus not really appropriate for upstream apparmor. On the other hand, other distributions/users may also wish to have a similar set up for more minimal environments [1], so perhaps it does make sense for upstream. This is only an issue for 2.10. Subject: make aa-status(8) work without python3-apparmor Author: Steve Beattie <steve.beat...@canonical.com> Bug: https://bugs.launchpad.net/bugs/1480492 If python3-apparmor is not installed, aa-status aborts due to the added import to handle fancier exception handling failing. This patch makes aa-status(8) work even in that case, falling back to normal python exceptions, to keep its required dependencies as small as possible. Signed-off-by: Steve Beattie <st...@nxnw.org> --- utils/aa-status | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) Index: b/utils/aa-status =================================================================== --- a/utils/aa-status +++ b/utils/aa-status @@ -12,9 +12,19 @@ import re, os, sys, errno +# PLEASE NOTE: we try to keep aa-status as minimal as possible, for +# environments where installing all of the python utils and python +# apparmor module may not make sense. Please think carefully before +# importing anything from apparmor; see how the apparmor.fail import is +# handled below. + # setup exception handling -from apparmor.fail import enable_aa_exception_handler -enable_aa_exception_handler() +try: + from apparmor.fail import enable_aa_exception_handler + enable_aa_exception_handler() +except ImportError: + # just let normal python exceptions happen (LP: #1480492) + pass def cmd_enabled(): '''Returns error code if AppArmor is not enabled''' -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
