[apparmor] [patch 3/3] use capability rule class in aa.py and cleanprof.py

Steve Beattie steve at nxnw.org
Tue Nov 25 20:27:37 UTC 2014 

On Sun, Nov 23, 2014 at 01:01:31AM +0100, Christian Boltz wrote:
> Am Freitag, 21. November 2014 schrieb Steve Beattie:
> > On Sat, Nov 15, 2014 at 11:46:41PM +0100, Christian Boltz wrote:
> > > I also had to add several
> > > +                    if write_prof_data[name].get(segs, False):
> > > +                       
> > > write_prof_data[name][segs].delete_all_rules() in
> > > serialize_profile_from_old_profile(). That's needed to avoid
> > > writing rules twice.
> > 
> > Is this rule writing duplication because we no longer have an 'allow'
> > and 'deny' layer in the hasher hierarchy for capabilities?
> 
> Exactly. See also this:
> 
> > > On the positive side, when we have converted everything to
> > > rule classes, we can delete the four lines above each of these added
> > > lines :-)
> 
> which deletes the rules from the "old" allow and deny branches.

So while testing with the v3 versions of the patches applied, the
delete_all_rules() invocation is getting called on non-capability
segments (or else the capability key is getting a hasher wrongly
assigned to it); e.g.:

  The following local profiles were changed. Would you like to save them?

   [1 - /home/ubuntu/tmp/spork.sh]
  (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
  Traceback (most recent call last):
    File "./aa-logprof", line 54, in <module>
      apparmor.do_logprof_pass(logmark)
    File "/home/ubuntu/bzr/apparmor/utils/apparmor/aa.py", line 2299, in do_logprof_pass
      save_profiles()
    File "/home/ubuntu/bzr/apparmor/utils/apparmor/aa.py", line 2379, in save_profiles
      newprofile = serialize_profile_from_old_profile(aa[which], which, '')
    File "/home/ubuntu/bzr/apparmor/utils/apparmor/aa.py", line 4198, in serialize_profile_from_old_profile
      write_prof_data[name][segs].delete_all_rules()
  AttributeError: 'collections.defaultdict' object has no attribute 'delete_all_rules'

That's from running aa-logprof with added child execs and an added
file rule.

I *really* don't get how serialize_profile_from_old_profile() "works",
so I'm not quite sure what's going wrong or why.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141125/c1331868/attachment.pgp>

More information about the AppArmor mailing list