[apparmor] [PATCH 4/8] Remove testing for AARE as it is the only matching engine

Tyler Hicks tyhicks at canonical.com
Fri Sep 27 21:35:11 UTC 2013 

On 2013-09-13 22:46:21, Steve Beattie wrote:
> On Thu, Sep 12, 2013 at 04:08:52PM -0700, Steve Beattie wrote:
> > On Wed, Sep 11, 2013 at 01:47:43AM -0700, Tyler Hicks wrote:
> > > From: John Johansen <john.johansen at canonical.com>
> > > 
> > > Remove use of AARE_DFA as the alternate pcre matching engine was removed
> > > years ago.
> > 
> > I haven't figured out what's going wrong, but this patch breaks profile
> > loading around hats:
> > 
> > $ cat /tmp/sdtest.24517-4609-fPslqn/profile
> > /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_ptrace {
> > 
> >   ^sub {
> >     /proc/*/attr/current w,
> >   }
> > }
> > 
> > $ cat /tmp/sdtest.24517-4609-fPslqn/profile.no_hat
> > /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_ptrace {
> > 
> > }
> > 
> > $ sudo ../../../parser/apparmor_parser /tmp/sdtest.24517-4609-fPslqn/profile
> > ../../../parser/apparmor_parser: Unable to add "sub".  Profile doesn't exist
> > 
> > $ sudo ../../../parser/apparmor_parser -r  /tmp/sdtest.24517-4609-fPslqn/profile
> > ../../../parser/apparmor_parser: Unable to replace "sub".  Profile doesn't exist
> > 
> > $ sudo ../../../parser/apparmor_parser /tmp/sdtest.24517-4609-fPslqn/profile.no_hat
> > 
> > $ sudo ../../../parser/apparmor_parser -r /tmp/sdtest.24517-4609-fPslqn/profile
> > ../../../parser/apparmor_parser: Unable to replace "/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_ptrace".  Profile doesn't conform to protocol
> 
> Alright, I think I've tracked down the specific issue from this patch:
> 
> In:
> 
> > diff --git a/parser/parser_interface.c b/parser/parser_interface.c
> > index fdd610d..5c2b486 100644
> > --- a/parser/parser_interface.c
> > +++ b/parser/parser_interface.c
> > @@ -665,18 +663,13 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
> >  	}
> >  
> >  	/* either have a single dfa or lists of different entry types */
> > -	if (regex_type == AARE_DFA) {
> > -		if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
> > -			return 0;
> > +	if (!sd_serialize_dfa(p, profile->dfa, profile->dfa_size))
> > +		return 0;
> >  
> > -		if (!sd_serialize_xtable(p, profile->exec_table))
> > -			return 0;
> > -	} else {
> > -		PERROR(_("Unknown pattern type\n"));
> > -		return 1;
> > -	}
> > +	if (!sd_serialize_xtable(p, profile->exec_table))
> > +		return 0;
> >  
> > -	if (profile->hat_table && regex_type != AARE_DFA) {
> > +	if (profile->hat_table) {
> 
> Note that the test removed here is if regex_type != AARE_DFA, *not* if
> regex_type == AARE_DFA. Since we don't support non AARE_DFA matching
> anymore, the code block that follows this test should be removed
> entirely, like so:
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---

Looks good - I'll roll it into the original patch. Thanks!

Tyler

>  parser/parser_interface.c |    9 ---------
>  1 file changed, 9 deletions(-)
> 
> Index: b/parser/parser_interface.c
> ===================================================================
> --- a/parser/parser_interface.c
> +++ b/parser/parser_interface.c
> @@ -669,15 +669,6 @@ int sd_serialize_profile(sd_serialize *p
>  	if (!sd_serialize_xtable(p, profile->exec_table))
>  		return 0;
>  
> -	if (profile->hat_table) {
> -		if (!sd_write_list(p, "hats"))
> -			return 0;
> -		if (load_hats(p, profile) != 0)
> -			return 0;
> -		if (!sd_write_listend(p))
> -			return 0;
> -
> -	}
>  	if (!sd_write_structend(p))
>  		return 0;
>  
> 
> With this incorporated into the patch, the regression tests all pass
> again, in particular all the tests that loads hats.
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130927/b12fbd3f/attachment.pgp>

More information about the AppArmor mailing list