/usr/lib/python3/dist-packages/apparmor/tools.py implement optional reload profile method

Bug #1458480 reported by Esokrates on 2015-05-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Christian Boltz
2.9
Undecided
Unassigned

Bug Description

There are various "# FIXME: this should be a profile_reload function/method" entries in /usr/lib/python3/dist-packages/apparmor/tools.py.
Profile reload should be optional for aa-enforce etc. so that one can use those utils in chroot without raising exceptions all the time.
The thing is: Those utils work in chroot, just "/sys/kernel/security/apparmor" is not available, so an exception is raised because profile reloading does not work.

In case of aa-enforce the profiles are set in enforce mode, just reloading the profile in the kernel fails, because after "apparmor.set_enforce(profile, program)" the following is called: "cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])".

There should be an call option for aa-enfore and the similar utils, to skip reloading the profile.
This is particularly interesting if install your system using chroot/debootstrap, where you configure everything in chroot and once finished boot the system for real.

Revision history for this message
Esokrates (esokrarkose) wrote :

Example of the exception in case of aa-enforce:

Traceback:
 Traceback (most recent call last):
   File "/usr/sbin/aa-enforce", line 30, in <module>
     tool.cmd_enforce()
   File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
     raise apparmor.AppArmorException(cmd_info[1])
 apparmor.common.AppArmorException: 'Warning: unable to find a suitable fs in /proc/mounts, is it mounted?\nUse --subdomainfs to override.\n'

summary: - /usr/lib/python3/dist-packages/apparmor/tools.py implement reload
- profile method
+ /usr/lib/python3/dist-packages/apparmor/tools.py implement optional
+ reload profile method
Christian Boltz (cboltz) on 2015-05-25
tags: added: aa-tools
Revision history for this message
Christian Boltz (cboltz) wrote :

Those FIXME comments are already fixed in the current code (2.9 branch and trunk) :-)

I just sent 33-minitools-add--no-reload-parameter.diff to the AppArmor mailinglist for review. It adds the --no-reload option to aa-audit, aa-complain, aa-disable and aa-enforce. (I'm afraid the review might take some time - I'm currently DoS'ing the mailinglist with patches, and "33" is there for a reason *eg*)

Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
status: New → In Progress
Revision history for this message
Esokrates (esokrarkose) wrote :

Thanks, amazing!
 Just to track the progress:

https://lists.ubuntu.com/archives/apparmor/2015-May/007893.html

Revision history for this message
Christian Boltz (cboltz) wrote :

Commited to bzr. --no-reload will be available in 2.9.3 and 2.10

Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.9.3
Christian Boltz (cboltz) on 2015-07-14
Changed in apparmor:
milestone: 2.9.3 → 2.10
Revision history for this message
Steve Beattie (sbeattie) wrote :

AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers