This patch creates a separate tool.cmd_complain function, as well as removes the -r remove option, to match aa-enforce and aa-disable. It also cleans up some bits in aa-enforce now that aa-complain and aa-enforce have been separated.
Signed-off-by: Steve Beattie <[email protected]> --- utils/aa-complain | 5 ++--- utils/aa-complain.pod | 9 +-------- utils/aa-enforce | 6 +----- utils/apparmor/tools.py | 26 +++++++++++++++++++------- 4 files changed, 23 insertions(+), 23 deletions(-) Index: b/utils/aa-complain =================================================================== --- a/utils/aa-complain +++ b/utils/aa-complain @@ -22,10 +22,9 @@ _ = init_translation() parser = argparse.ArgumentParser(description=_('Switch the given program to complain mode')) parser.add_argument('-d', '--dir', type=str, help=_('path to profiles')) -parser.add_argument('-r', '--remove', action='store_true', help=_('remove complain mode')) parser.add_argument('program', type=str, nargs='+', help=_('name of program')) args = parser.parse_args() -complain = apparmor.tools.aa_tools('complain', args) +tool = apparmor.tools.aa_tools('complain', args) #print(args) -complain.act() +tool.cmd_complain() Index: b/utils/apparmor/tools.py =================================================================== --- a/utils/apparmor/tools.py +++ b/utils/apparmor/tools.py @@ -30,7 +30,7 @@ class aa_tools: self.check_profile_dir() self.silent = None - if tool_name in ['audit', 'complain']: + if tool_name in ['audit']: self.remove = args.remove elif tool_name == 'disable': self.disabledir = apparmor.profile_dir + '/disable' @@ -122,12 +122,6 @@ class aa_tools: aaui.UI_Info(_('Removing audit mode from %s.') % program) apparmor.change_profile_flags(filename, program, 'audit', not self.remove) - elif self.name == 'complain': - if not self.remove: - apparmor.set_complain(filename, program) - else: - apparmor.set_enforce(filename, program) - #apparmor.set_profile_flags(filename, self.name) else: # One simply does not walk in here! raise apparmor.AppArmorException('Unknown tool: %s' % self.name) @@ -177,6 +171,24 @@ class aa_tools: # FIXME: this should be a profile_reload function/method cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile]) + + if cmd_info[0] != 0: + raise apparmor.AppArmorException(cmd_info[1]) + + def cmd_complain(self): + for (program, profile) in self.get_next_to_profile(): + + apparmor.read_profiles() + output_name = profile if program is None else program + + if not os.path.isfile(profile) or apparmor.is_skippable_file(profile): + aaui.UI_Info(_('Profile for %s not found, skipping') % output_name) + continue + + apparmor.set_complain(profile, program) + + # FIXME: this should be a profile_reload function/method + cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile]) if cmd_info[0] != 0: raise apparmor.AppArmorException(cmd_info[1]) Index: b/utils/aa-enforce =================================================================== --- a/utils/aa-enforce +++ b/utils/aa-enforce @@ -24,11 +24,7 @@ parser = argparse.ArgumentParser(descrip parser.add_argument('-d', '--dir', type=str, help=_('path to profiles')) parser.add_argument('program', type=str, nargs='+', help=_('name of program')) args = parser.parse_args() -# Set the remove flag since complain = !enforce -# XXX remove this entirely once conversion to individual cmd methods -# on the Tool class are implemented -args.remove = True -tool = apparmor.tools.aa_tools('complain', args) +tool = apparmor.tools.aa_tools('enforce', args) tool.cmd_enforce() Index: b/utils/aa-complain.pod =================================================================== --- a/utils/aa-complain.pod +++ b/utils/aa-complain.pod @@ -26,7 +26,7 @@ aa-complain - set an AppArmor security p =head1 SYNOPSIS -B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]> +B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] =head1 OPTIONS @@ -35,19 +35,12 @@ B<-d --dir /path/to/profiles> Specifies where to look for the AppArmor security profile set. Defaults to /etc/apparmor.d. -B<-r --remove> - - Removes the complain mode for the profile. - =head1 DESCRIPTION B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode. In this mode security policy is not enforced but rather access violations are logged to the system log. -The I<--remove> option can be used to remove the complain mode for the profile, -setting it to enforce mode by default. - =head1 BUGS If you find any bugs, please report them at -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
