utils: don't skip disabled profiles for aa-enforce

When running aa-disable and then aa-enforce passing the binary path as the argument, aa-enforce fails to enforce the profile with the error: $ sudo aa-disable /home/foo/test skipping disabled profile test Profile for /home/foo/test not found, skipping According to the man page for aa-enforce, it should work for disabled profiles. Note that this does not happen when passing the profile directly to the tools, so there's a workaround for this issue: $ sudo /aa-enforce /etc/apparmor.d/test Setting /etc/apparmor.d/test to enforce mode. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit b0b45b01c0) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-30 22:05:27 +00:00 · 2025-03-13 10:58:30 -03:00
parent 970a035e86
commit 2a78af408a
2 changed files with 3 additions and 3 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1618,7 +1618,7 @@ def update_profiles(ui_msg=False, skip_profiles=()):
        print(_("Error while loading profiles: {}").format(e))


-def read_profiles(ui_msg=False, skip_profiles=()):
+def read_profiles(ui_msg=False, skip_profiles=(), skip_disabled=True):
    # we'll read all profiles from disk, so reset the storage first (autodep() might have created/stored
    # a profile already, which would cause a 'Conflicting profile' error in attach_profile_data())
    #
@@ -1641,7 +1641,7 @@ def read_profiles(ui_msg=False, skip_profiles=()):
        if os.path.isfile(full_file):
            if is_skippable_file(file):
                continue
-            elif os.path.exists(f'{profile_dir}/disable/{file}'):
+            elif skip_disabled and os.path.exists(f'{profile_dir}/disable/{file}'):
                aaui.UI_Info("skipping disabled profile %s" % file)
                continue
            elif file in skip_profiles:
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -27,7 +27,7 @@ _ = init_translation()
 class aa_tools:
    def __init__(self, tool_name, args):
        apparmor.init_aa(profiledir=args.dir, confdir=args.configdir)
-        apparmor.read_profiles()
+        apparmor.read_profiles(skip_disabled=(tool_name != 'enforce'))

        if not user_perm(apparmor.profile_dir):
            raise AppArmorException("Cannot write to profile directory: %s" % (apparmor.profile_dir))