[apparmor] [patch] fix severity.py / handle_variable_rank for filenames containing @

Steve Beattie steve at nxnw.org
Fri Oct 10 20:47:48 UTC 2014 

Hey Christian,

On Fri, Oct 10, 2014 at 09:21:34PM +0200, Christian Boltz wrote:
> if a filename mentioned in audit.log contains an @, aa-logprof crashes 
> with
> 
> # cat audit.log-not-a-variable
> type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist at disk" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"
> 
> # aa-logprof -f audit.log-not-a-variable    
> Reading log entries from audit.log-variable.
> Aktualisiere AppArmor-Profile in /etc/apparmor.d.
> Traceback (most recent call last):
>   File "aa-logprof", line 52, in <module>
>     apparmor.do_logprof_pass(logmark)
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2267, in do_logprof_pass
>     handle_children('', '', root)
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 1245, in handle_children
>     severity = sev_db.rank(exec_target, 'x')
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 134, in rank
>     return self.handle_variable_rank(resource, mode)
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, in handle_variable_rank
>     variable = regex_variable.search(resource).groups()[0]
> AttributeError: 'NoneType' object has no attribute 'groups'
> 
> 
> handle_variable_rank() checked with   if '@' in resource:
> and if it finds it, expects it can match a variable, which means   @{.....}
> If a filename contains a   @   this fails.

Ugh.

> The patch fixes the if condition so that it does a regex match.
> 
> === modified file 'utils/apparmor/severity.py'
> --- utils/apparmor/severity.py  2014-02-13 18:01:03 +0000
> +++ utils/apparmor/severity.py  2014-10-10 19:13:53 +0000
> @@ -143,7 +143,7 @@
>          """Returns the max possible rank for file resources containing variables"""
>          regex_variable = re.compile('@{([^{.]*)}')
>          rank = None
> -        if '@' in resource:
> +        if regex_variable.search(resource):
>              variable = regex_variable.search(resource).groups()[0]
>              variable = '@{%s}' % variable
>              #variables = regex_variable.findall(resource)

Can you cache the result of doing the regex_variable.search() call,
rather than doing it twice?

Also, some unit tests that exercise this method,
handle_variable_rank(), of the Severity class would be nice.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141010/bc595a78/attachment-0001.pgp>

More information about the AppArmor mailing list