Read all profiles on aa-genprof startup instead of later

... which can mean "too late" in some special cases (if a profile already exists in /etc/apparmor.d/$non_default_filename). However, the main reason is that without this change - the new profile will be added to (otherwise empty) active_profiles - the first do_logprof_pass() will read all profiles, including the new one, and add them to active_profiles - which unsurprisingly results in an error like `ERROR: Profile /usr/sbin/vsftpd exists in /etc/apparmor.d/usr.sbin.vsftpd and /etc/apparmor.d/usr.sbin.vsftpd` To fix this, - change do_logprof_pass to never call read_profiles() (and get rid of the 'passno' parameter) - adjust its callers (aa-logprof and aa-genprof) to call read_profiles() themself - move printing the 'Updating AppArmor profiles in $directory.' message to read_profiles(), but only display it if requested (to keep the current UI behaviour)
2025-03-04 08:24:42 +01:00 · 2020-05-05 23:56:55 +02:00 · 2020-05-05 23:56:55 +02:00 · c7949ba6c4
commit c7949ba6c4
parent db9f8d38b0
3 changed files with 9 additions and 9 deletions
--- a/utils/aa-genprof
+++ b/utils/aa-genprof
@ -107,6 +107,8 @@ apparmor.check_qualifiers(program)

 apparmor.loadincludes()

+apparmor.read_profiles(True)
+
 profile_filename = apparmor.get_profile_filename_from_attachment(program, True)
 if os.path.exists(profile_filename):
    apparmor.helpers[program] = apparmor.get_profile_flags(profile_filename, program)
@ -141,7 +143,6 @@ done_profiling = False
 if os.path.exists('/var/log/audit/audit.log'):
    syslog = False

-passno = 0
 while not done_profiling:
    if syslog:
        logmark = subprocess.check_output(['date | md5sum'], shell=True)
@ -160,8 +161,7 @@ while not done_profiling:
    ans, arg = q.promptUser('noexit')

    if ans == 'CMD_SCAN':
-        apparmor.do_logprof_pass(logmark, passno)
-        passno += 1
+        apparmor.do_logprof_pass(logmark)
    else:
        done_profiling = True

--- a/utils/aa-logprof
+++ b/utils/aa-logprof
@ -53,5 +53,6 @@ if profiledir:

 apparmor.loadincludes()

+apparmor.read_profiles(True)
 apparmor.do_logprof_pass(logmark)

--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -1455,7 +1455,7 @@ def set_logfile(filename):
    elif os.path.isdir(logfile):
        raise AppArmorException(_('%s is a directory. Please specify a file as logfile') % logfile)

-def do_logprof_pass(logmark='', passno=0):
+def do_logprof_pass(logmark=''):
    # set up variables for this pass
 #    transitions = hasher()
    global active_profiles
@ -1466,10 +1466,6 @@ def do_logprof_pass(logmark='', passno=0):

    aaui.UI_Info(_('Reading log entries from %s.') % logfile)

-    if not passno:
-        aaui.UI_Info(_('Updating AppArmor profiles in %s.') % profile_dir)
-        read_profiles()
-
    if not sev_db:
        sev_db = apparmor.severity.Severity(CONFDIR + '/severity.db', _('unknown'))
    #print(pid)
@ -1656,13 +1652,16 @@ def is_skippable_dir(path):
        return True
    return False

-def read_profiles():
+def read_profiles(ui_msg=False):
    # we'll read all profiles from disk, so reset the storage first (autodep() might have created/stored
    # a profile already, which would cause a 'Conflicting profile' error in attach_profile_data())
    global aa, original_aa
    aa = hasher()
    original_aa = hasher()

+    if ui_msg:
+        aaui.UI_Info(_('Updating AppArmor profiles in %s.') % profile_dir)
+
    try:
        os.listdir(profile_dir)
    except: