utils: split out aa-audit function

This patch moves the audit functionality to an audit specific command function. As an aside, the -r option is left in place here, because aa-audit is a bit orthogonal to aa-enforce, aa-complain, and aa-disable. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-03-04 08:24:42 +01:00 · 2014-03-06 11:52:00 -08:00 · 2014-03-06 11:52:00 -08:00 · d37de1fd46
commit d37de1fd46
parent 0f32b02deb
2 changed files with 26 additions and 9 deletions
--- a/utils/aa-audit
+++ b/utils/aa-audit
@ -29,9 +29,10 @@ parser.add_argument('--trace', action='store_true', help=_('Show full trace'))
 args = parser.parse_args()

 try:
-    audit = apparmor.tools.aa_tools('audit', args)
+    tool = apparmor.tools.aa_tools('audit', args)
+
+    tool.cmd_audit()

-    audit.act()
 except Exception as e:
    if not args.trace:
        print(e.value + "\n")
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@ -115,13 +115,6 @@ class aa_tools:
                    if not os.path.isfile(filename) or apparmor.is_skippable_file(filename):
                        aaui.UI_Info(_('Profile for %s not found, skipping') % program)

-                    elif self.name == 'audit':
-                        if not self.remove:
-                            aaui.UI_Info(_('Setting %s to audit mode.') % program)
-                        else:
-                            aaui.UI_Info(_('Removing audit mode from %s.') % program)
-                        apparmor.change_profile_flags(filename, program, 'audit', not self.remove)
-
                    else:
                        # One simply does not walk in here!
                        raise apparmor.AppArmorException('Unknown tool: %s' % self.name)
@ -193,6 +186,29 @@ class aa_tools:
            if cmd_info[0] != 0:
                raise apparmor.AppArmorException(cmd_info[1])

+    def cmd_audit(self):
+        for (program, profile) in self.get_next_to_profile():
+
+            apparmor.read_profiles()
+            output_name = profile if program is None else program
+
+            if not os.path.isfile(profile) or apparmor.is_skippable_file(profile):
+                aaui.UI_Info(_('Profile for %s not found, skipping') % output_name)
+                continue
+
+            # keep this to allow toggling 'audit' flags
+            if not self.remove:
+                aaui.UI_Info(_('Setting %s to audit mode.') % output_name)
+            else:
+                aaui.UI_Info(_('Removing audit mode from %s.') % output_name)
+            apparmor.change_profile_flags(profile, program, 'audit', not self.remove)
+
+            # FIXME: this should be a profile_reload function/method
+            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
+
+            if cmd_info[0] != 0:
+                raise apparmor.AppArmorException(cmd_info[1])
+
    def clean_profile(self, program):
        filename = apparmor.get_profile_filename(program)
        import apparmor.cleanprofile as cleanprofile