Allow aa-complain etc. to change profiles for non-existing binaries

aa-complain, aa-enforce, aa-disable and aa-audit refused to change profiles for non-existing binaries. This patch also allows paths starting with /. This also makes it possible to use aa-complain '/{usr/,}bin/ping' and aa-complain /etc/apparmor.d/bin.ping This patch fixes https://bugs.launchpad.net/apparmor/+bug/1416346 Well, mostly - we still need to decide how we handle wildcards in profile names: aa-complain ping aa-complain /usr/bin/ping will still error out with "Profile not found" because it isn't an exact match (and matching the wildcard would change more than the user wants). Oh, and this patch also fixes the last failure in minitools_test.py. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2025-08-30 13:58:22 +00:00 · 2015-06-06 14:25:41 +02:00
parent ac665528ea
commit 3ccbc2e65d
1 changed files with 1 additions and 1 deletions
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -57,7 +57,7 @@ class aa_tools:

            program = None
            profile = None
-            if os.path.exists(p):
+            if os.path.exists(p) or p.startswith('/'):
                fq_path = apparmor.get_full_path(p).strip()
                if os.path.commonprefix([apparmor.profile_dir, fq_path]) == apparmor.profile_dir:
                    program = None