[apparmor] [patch] fix severity.py / handle_variable_rank for filenames containing @
Steve Beattie
steve at nxnw.org
Fri Oct 10 20:47:48 UTC 2014
Hey Christian,
On Fri, Oct 10, 2014 at 09:21:34PM +0200, Christian Boltz wrote:
> if a filename mentioned in audit.log contains an @, aa-logprof crashes
> with
>
> # cat audit.log-not-a-variable
> type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist at disk" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"
>
> # aa-logprof -f audit.log-not-a-variable
> Reading log entries from audit.log-variable.
> Aktualisiere AppArmor-Profile in /etc/apparmor.d.
> Traceback (most recent call last):
> File "aa-logprof", line 52, in <module>
> apparmor.do_logprof_pass(logmark)
> File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2267, in do_logprof_pass
> handle_children('', '', root)
> File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 1245, in handle_children
> severity = sev_db.rank(exec_target, 'x')
> File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 134, in rank
> return self.handle_variable_rank(resource, mode)
> File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, in handle_variable_rank
> variable = regex_variable.search(resource).groups()[0]
> AttributeError: 'NoneType' object has no attribute 'groups'
>
>
> handle_variable_rank() checked with if '@' in resource:
> and if it finds it, expects it can match a variable, which means @{.....}
> If a filename contains a @ this fails.
Ugh.
> The patch fixes the if condition so that it does a regex match.
>
> === modified file 'utils/apparmor/severity.py'
> --- utils/apparmor/severity.py 2014-02-13 18:01:03 +0000
> +++ utils/apparmor/severity.py 2014-10-10 19:13:53 +0000
> @@ -143,7 +143,7 @@
> """Returns the max possible rank for file resources containing variables"""
> regex_variable = re.compile('@{([^{.]*)}')
> rank = None
> - if '@' in resource:
> + if regex_variable.search(resource):
> variable = regex_variable.search(resource).groups()[0]
> variable = '@{%s}' % variable
> #variables = regex_variable.findall(resource)
Can you cache the result of doing the regex_variable.search() call,
rather than doing it twice?
Also, some unit tests that exercise this method,
handle_variable_rank(), of the Severity class would be nice.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141010/bc595a78/attachment-0001.pgp>
More information about the AppArmor
mailing list