tools.py: add functions to unload and reload profiles

and change the code to use them.

Also add a comment to act() that it's only used by aa-cleanprof.

Note: The new functions add the --base parameter to the apparmor_parser
calls, which also means the disable directory inside the given profile
dir (and not always /etc/apparmor.d/disable) is now honored.


Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.

utils/apparmor/tools.py

@@ -82,6 +82,7 @@ class aa_tools:
             yield (program, profile)
 
     def act(self):
+        # used by aa-cleanprof
         apparmor.read_profiles()
 
         for (program, profile) in self.get_next_to_profile():
@@ -109,10 +110,7 @@ class aa_tools:
                         # One simply does not walk in here!
                         raise apparmor.AppArmorException('Unknown tool: %s' % self.name)
 
-                    cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-R', filename])
-
-                    if cmd_info[0] != 0:
-                        raise apparmor.AppArmorException(cmd_info[1])
+                    self.reload_profile(profile)
 
             else:
                 if '/' not in program:
@@ -135,12 +133,7 @@ class aa_tools:
             aaui.UI_Info(_('Disabling %s.') % output_name)
             self.disable_profile(profile)
 
-            # FIXME: this should be a profile_remove function/method
-            # FIXME: should ensure profile is loaded before unloading
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-R', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.unload_profile(profile)
 
     def cmd_enforce(self):
         apparmor.read_profiles()
@@ -155,11 +148,7 @@ class aa_tools:
 
             apparmor.set_enforce(profile, program)
 
-            # FIXME: this should be a profile_reload function/method
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.reload_profile(profile)
 
     def cmd_complain(self):
         apparmor.read_profiles()
@@ -174,11 +163,7 @@ class aa_tools:
 
             apparmor.set_complain(profile, program)
 
-            # FIXME: this should be a profile_reload function/method
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.reload_profile(profile)
 
     def cmd_audit(self):
         apparmor.read_profiles()
@@ -198,11 +183,7 @@ class aa_tools:
                 aaui.UI_Info(_('Removing audit mode from %s.') % output_name)
             apparmor.change_profile_flags(profile, program, 'audit', not self.remove)
 
-            # FIXME: this should be a profile_reload function/method
-            cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])
-
-            if cmd_info[0] != 0:
-                raise apparmor.AppArmorException(cmd_info[1])
+            self.reload_profile(profile)
 
     def cmd_autodep(self):
         apparmor.read_profiles()
@@ -261,3 +242,16 @@ class aa_tools:
 
     def disable_profile(self, filename):
         apparmor.create_symlink('disable', filename)
+
+    def unload_profile(self, profile):
+        # FIXME: should ensure profile is loaded before unloading
+        cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-R', profile])
+
+        if cmd_info[0] != 0:
+            raise apparmor.AppArmorException(cmd_info[1])
+
+    def reload_profile(self, profile):
+        cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-r', profile])
+
+        if cmd_info[0] != 0:
+            raise apparmor.AppArmorException(cmd_info[1])