From b0b45b01c0f335d4a015786fa6cbac3b119a4e4a Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Thu, 13 Mar 2025 10:58:30 -0300
Subject: [PATCH] utils: don't skip disabled profiles for aa-enforce

When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:

$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping

According to the man page for aa-enforce, it should work for disabled
profiles.

Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:

$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 utils/apparmor/aa.py    | 4 ++--
 utils/apparmor/tools.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index df3e2e9d2..fc1ef2b98 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1598,7 +1598,7 @@ def update_profiles(ui_msg=False, skip_profiles=()):
         print(_("Error while loading profiles: {}").format(e))
 
 
-def read_profiles(ui_msg=False, skip_profiles=()):
+def read_profiles(ui_msg=False, skip_profiles=(), skip_disabled=True):
     # we'll read all profiles from disk, so reset the storage first (autodep() might have created/stored
     # a profile already, which would cause a 'Conflicting profile' error in attach_profile_data())
     #
@@ -1620,7 +1620,7 @@ def read_profiles(ui_msg=False, skip_profiles=()):
         if os.path.isfile(full_file):
             if is_skippable_file(file):
                 continue
-            elif os.path.exists(f'{profile_dir}/disable/{file}'):
+            elif skip_disabled and os.path.exists(f'{profile_dir}/disable/{file}'):
                 aaui.UI_Info("skipping disabled profile %s" % file)
                 continue
             elif file in skip_profiles:
diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py
index 6d7854d4f..e348af3ca 100644
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -27,7 +27,7 @@ _ = init_translation()
 class aa_tools:
     def __init__(self, tool_name, args):
         apparmor.init_aa(profiledir=args.dir, confdir=args.configdir)
-        apparmor.read_profiles()
+        apparmor.read_profiles(skip_disabled=(tool_name != 'enforce'))
 
         if not user_perm(apparmor.profile_dir):
             raise AppArmorException("Cannot write to profile directory: %s" % (apparmor.profile_dir))