Bug#773346: reportbug should provide information about active LSM

Thu, 26 Oct 2017 10:21:35 -0700 

intrigeri:
> I'm attaching the equivalent for AppArmor.

Here's a cleaned up v2 (my initial patch had leftovers from a previous
version that included the output of aa-enabled; now that I've stopped
doing it I could simplify the code a bit).

Thanks a lot to Christian Boltz for catching this and
suggesting --quiet!

Cheers,
-- 
intrigeri


>From c5646798735a12d464a8dc577e3d399fce6f3583 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Thu, 26 Oct 2017 16:18:19 +0000
Subject: [PATCH] Add AppArmor status in the bug reports (Closes: #773346)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

…using aa-enabled(1).

aa-enabled is shipped in the apparmor binary package so this check is not 100%
correct: technically, the AppArmor LSM can be enabled without the apparmor
package being installed, and in this case we won't tell about it in the
generated bug report. But for all practical matters, from reportbug's
perspective, this corner case is equivalent to AppArmor being disabled: without
apparmor_parser installed one can't compile and load policy into the kernel, so
the LSM is essentially a no-op.

Other, discarded options:

 - LibAppArmor.aa_is_enabled() would work, but it adds a dependency
   for little value; it's still an option on the table if the reportbug
   maintainers prefer not to shell out though.
 - checking /sys/module/apparmor/parameters/enabled would work, but it's too
   low-level for my taste.
---
 reportbug/utils.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/reportbug/utils.py b/reportbug/utils.py
index d1c9516..b0d0127 100644
--- a/reportbug/utils.py
+++ b/reportbug/utils.py
@@ -1318,10 +1318,18 @@ def get_lsm_info():
     cannot be determined."""
 
     lsminfo = None
+
+    if os.path.exists('/usr/bin/aa-enabled') \
+       and (subprocess.call(['/usr/bin/aa-enabled', '--quiet']) == 0):
+        lsminfo = 'AppArmor: enabled'
+
     if selinux_module:
         is_selinux_enabled = selinux.is_selinux_enabled()
         if (is_selinux_enabled == 1):
-            lsminfo = 'SELinux: enabled - '
+            if lsminfo is None:
+                lsminfo = 'SELinux: enabled - '
+            else:
+                lsminfo += '; SELinux: enabled - '
             is_selinux_enforce = selinux.security_getenforce()
             if (is_selinux_enforce == 0):
                 lsminfo += 'Mode: permissive - '
-- 
2.15.0.rc2

Reply via email to