intrigeri: > I'm attaching the equivalent for AppArmor. Here's a cleaned up v2 (my initial patch had leftovers from a previous version that included the output of aa-enabled; now that I've stopped doing it I could simplify the code a bit).
Thanks a lot to Christian Boltz for catching this and suggesting --quiet! Cheers, -- intrigeri
>From c5646798735a12d464a8dc577e3d399fce6f3583 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Thu, 26 Oct 2017 16:18:19 +0000 Subject: [PATCH] Add AppArmor status in the bug reports (Closes: #773346) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …using aa-enabled(1). aa-enabled is shipped in the apparmor binary package so this check is not 100% correct: technically, the AppArmor LSM can be enabled without the apparmor package being installed, and in this case we won't tell about it in the generated bug report. But for all practical matters, from reportbug's perspective, this corner case is equivalent to AppArmor being disabled: without apparmor_parser installed one can't compile and load policy into the kernel, so the LSM is essentially a no-op. Other, discarded options: - LibAppArmor.aa_is_enabled() would work, but it adds a dependency for little value; it's still an option on the table if the reportbug maintainers prefer not to shell out though. - checking /sys/module/apparmor/parameters/enabled would work, but it's too low-level for my taste. --- reportbug/utils.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/reportbug/utils.py b/reportbug/utils.py index d1c9516..b0d0127 100644 --- a/reportbug/utils.py +++ b/reportbug/utils.py @@ -1318,10 +1318,18 @@ def get_lsm_info(): cannot be determined.""" lsminfo = None + + if os.path.exists('/usr/bin/aa-enabled') \ + and (subprocess.call(['/usr/bin/aa-enabled', '--quiet']) == 0): + lsminfo = 'AppArmor: enabled' + if selinux_module: is_selinux_enabled = selinux.is_selinux_enabled() if (is_selinux_enabled == 1): - lsminfo = 'SELinux: enabled - ' + if lsminfo is None: + lsminfo = 'SELinux: enabled - ' + else: + lsminfo += '; SELinux: enabled - ' is_selinux_enforce = selinux.security_getenforce() if (is_selinux_enforce == 0): lsminfo += 'Mode: permissive - ' -- 2.15.0.rc2