Set flags for profiles represented by a glob

Getting and Setting profile represented by a glob does not work correctly because they are checked for equality. Use a glob match to check for them. Also, add a warning stating that the profile being set represents multiple programs. traceroute is an example whose profile name is represented as /usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue: Setting /usr/sbin/traceroute to enforce mode. ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile Signed-off-by: Goldwyn <goldwyn@fiona.lan>
2025-09-05 00:35:13 +00:00 · 2018-04-10 09:02:09 -05:00
parent f3c39034ae
commit 5e187daa0b
1 changed files with 12 additions and 3 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -612,9 +612,12 @@ def get_profile_flags(filename, program):
        for line in f_in:
            if RE_PROFILE_START.search(line):
                matches = parse_profile_start_line(line, filename)
-                profile = matches['profile']
+                if (matches['attachment'] is not None):
+                    profile_glob = AARE(matches['attachment'], True)
+                else:
+                    profile_glob = AARE(matches['profile'], True)
                flags = matches['flags']
-                if profile == program or program is None:
+                if (program is not None and profile_glob.match(program)) or program is None:
                    return flags

    raise AppArmorException(_('%s contains no profile') % filename)
@@ -667,8 +670,14 @@ def set_profile_flags(prof_filename, program, newflags):
                    space = matches['leadingspace'] or ''
                    profile = matches['profile']

-                    if profile == program or program is None:
+                    if (matches['attachment'] is not None):
+                        profile_glob = AARE(matches['attachment'], True)
+                    else:
+                        profile_glob = AARE(matches['profile'], True)
+                    if (program is not None and profile_glob.match(program)) or program is None:
                        found = True
+                        if program is not None and program != profile:
+                          aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
                        header_data = {
                            'attachment': matches['attachment'] or '',
                            'flags': newflags,