Bug#773346: reportbug should provide information about active LSM

[intrigeri]

Hi,

Laurent Bigonville:
> Le 07/10/17 à 17:03, Laurent Bigonville a écrit :
>> Here a patch that implements the SELinux part
> Please find here the version 2 of my patch.

Thanks! I've reviewed this patch and it looks OK to me. I've tested it
on a sid system 1. with AppArmor enabled; 2. with no LSM enabled; and
it works as expected. I trust you've tested it on a system with
SELinux enabled so I didn't check this.

I'm attaching the equivalent for AppArmor. This patch is meant to be
applied on top of Laurent's.

Cheers,
-- 
intrigeri


>From d40f198f40ec665e6233982d73a81c2fc3acce8c Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Thu, 26 Oct 2017 16:18:19 +0000
Subject: [PATCH] Add AppArmor status in the bug reports (Closes: #773346)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

…using aa-enabled(1).

aa-enabled is shipped in the apparmor binary package so this check is not 100%
correct: technically, the AppArmor LSM can be enabled without the apparmor
package being installed, and in this case we won't tell about it in the
generated bug report. But for all practical matters, from reportbug's
perspective, this corner case is equivalent to AppArmor being disabled: without
apparmor_parser installed one can't compile and load policy into the kernel, so
the LSM is essentially a no-op.

Other, discarded options:

 - LibAppArmor.aa_is_enabled() would work, but it adds a dependency
   for little value; it's still an option on the table if the reportbug
   maintainers prefer not to shell out though.
 - checking /sys/module/apparmor/parameters/enabled would work, but it's too
   low-level for my taste.
---
 reportbug/utils.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/reportbug/utils.py b/reportbug/utils.py
index d1c9516..8b0a1ce 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -1318,10 +1318,20 @@ def get_lsm_info():
     cannot be determined."""
 
     lsminfo = None
+
+    if os.path.exists('/usr/bin/aa-enabled') \
+       and (subprocess.run('LC_ALL=C.UTF-8 aa-enabled',
+                           shell=True,
+                           stdout=subprocess.PIPE).returncode == 0):
+        lsminfo = 'AppArmor: enabled'
+
     if selinux_module:
         is_selinux_enabled = selinux.is_selinux_enabled()
         if (is_selinux_enabled == 1):
-            lsminfo = 'SELinux: enabled - '
+            if lsminfo is None:
+                lsminfo = 'SELinux: enabled - '
+            else:
+                lsminfo += '; SELinux: enabled - '
             is_selinux_enforce = selinux.security_getenforce()
             if (is_selinux_enforce == 0):
                 lsminfo += 'Mode: permissive - '
-- 
2.15.0.rc2