[apparmor] [PATCH 4/8] Remove testing for AARE as it is the only matching engine

Sat Sep 14 05:46:21 UTC 2013

On Thu, Sep 12, 2013 at 04:08:52PM -0700, Steve Beattie wrote:
> On Wed, Sep 11, 2013 at 01:47:43AM -0700, Tyler Hicks wrote:
> > From: John Johansen <john.johansen at canonical.com>
> > 
> > Remove use of AARE_DFA as the alternate pcre matching engine was removed
> > years ago.
> 
> I haven't figured out what's going wrong, but this patch breaks profile
> loading around hats:
> 
> $ cat /tmp/sdtest.24517-4609-fPslqn/profile
> /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_ptrace {
> 
>   ^sub {
>     /proc/*/attr/current w,
>   }
> }
> 
> $ cat /tmp/sdtest.24517-4609-fPslqn/profile.no_hat
> /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_ptrace {
> 
> }
> 
> $ sudo ../../../parser/apparmor_parser /tmp/sdtest.24517-4609-fPslqn/profile
> ../../../parser/apparmor_parser: Unable to add "sub".  Profile doesn't exist
> 
> $ sudo ../../../parser/apparmor_parser -r  /tmp/sdtest.24517-4609-fPslqn/profile
> ../../../parser/apparmor_parser: Unable to replace "sub".  Profile doesn't exist
> 
> $ sudo ../../../parser/apparmor_parser /tmp/sdtest.24517-4609-fPslqn/profile.no_hat
> 
> $ sudo ../../../parser/apparmor_parser -r /tmp/sdtest.24517-4609-fPslqn/profile
> ../../../parser/apparmor_parser: Unable to replace "/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_ptrace".  Profile doesn't conform to protocol

Alright, I think I've tracked down the specific issue from this patch:

In:

> diff --git a/parser/parser_interface.c b/parser/parser_interface.c
> index fdd610d..5c2b486 100644
> --- a/parser/parser_interface.c
> +++ b/parser/parser_interface.c
> @@ -665,18 +663,13 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
>  	}
>  
>  	/* either have a single dfa or lists of different entry types */
> -	if (regex_type == AARE_DFA) {
> -		if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
> -			return 0;
> +	if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
> +		return 0;
>  
> -		if (!sd_serialize_xtable(p, profile->exec_table))
> -			return 0;
> -	} else {
> -		PERROR(_("Unknown pattern type\n"));
> -		return 1;
> -	}
> +	if (!sd_serialize_xtable(p, profile->exec_table))
> +		return 0;
>  
> -	if (profile->hat_table && regex_type != AARE_DFA) {
> +	if (profile->hat_table) {

Note that the test removed here is if regex_type != AARE_DFA, *not* if
regex_type == AARE_DFA. Since we don't support non AARE_DFA matching
anymore, the code block that follows this test should be removed
entirely, like so:

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 parser/parser_interface.c |    9 ---------
 1 file changed, 9 deletions(-)

Index: b/parser/parser_interface.c
===================================================================

--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -669,15 +669,6 @@ int sd_serialize_profile(sd_serialize *p
 	if (!sd_serialize_xtable(p, profile->exec_table))
 		return 0;
 
-	if (profile->hat_table) {
-		if (!sd_write_list(p, "hats"))
-			return 0;
-		if (load_hats(p, profile) != 0)
-			return 0;
-		if (!sd_write_listend(p))
-			return 0;
-
-	}
 	if (!sd_write_structend(p))
 		return 0;
 

With this incorporated into the patch, the regression tests all pass
again, in particular all the tests that loads hats.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130913/99269e5f/attachment-0001.pgp>
