[apparmor] aa.py: fix netrules_access_check()

Kshitij Gupta kgupta8592 at gmail.com
Mon Oct 20 19:34:45 UTC 2014 

Hello,

On Tue, Oct 21, 2014 at 12:19 AM, Christian Boltz <apparmor at cboltz.de>
wrote:

> Hello,
>
> Am Sonntag, 19. Oktober 2014 schrieb Christian Boltz:
> > netrules_access_check() in aa.py checks if
> >     type(netrules['rule'][family]) == dict
> > however this check always returns false (at least with py3, I didn't
> > test with py2).
> >
> > This broken type check is the reason for
> > https://bugs.launchpad.net/apparmor/+bug/1380368
> >     aa-logprof doesn't propose abstractions for network rules
> > and
> > https://bugs.launchpad.net/apparmor/+bug/1380367
> >     aa-logprof asks for already existing network rules
> >
> > The following patch fixes both bugs:
>
>
> Thanks for tracing down relevant bug-reports. Please update the
bug-reports. :-)


> > So the type check (or another check) is still needed. Any ideas how to
> > implement it in a way that works?
>
> After some discussion with Kshitij on #apparmor here's the working
> patch.
>
> Note that the type check itsself is (nearly?) always true, but it's

needed as a safety net because in theory netrules['rule'][family] could
> be boolean True - see line 2994.
>
> Update: cboltz found the type check did avert a crash in case of a rule
like "network inet".

The sock_type in .....keys() check is there to ensure the hasher doesn't
> automagically add an empty sub-dict, which caused the regression in the
> first version of my patch.
>
> ReasonsWhyShouldWeGetRidOfHasherMagicAndMoveToClasses++;


>
> === modified file 'utils/apparmor/aa.py'
> --- utils/apparmor/aa.py        2014-10-20 18:07:24 +0000
> +++ utils/apparmor/aa.py        2014-10-20 18:40:53 +0000
> @@ -4460,7 +4460,8 @@
>      if netrules['rule'].get(family, False) is True:
>          all_net_family = True
>      if (netrules['rule'].get(family, False) and
> -            type(netrules['rule'][family]) == dict and
> +            type(netrules['rule'][family]) == type(hasher()) and
> +            sock_type in netrules['rule'][family].keys() and
>              netrules['rule'][family][sock_type]):
>          net_family_sock = True
>
>
>
>
Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.

Regards,

Kshitij Gupta

Regards,
>
> Christian Boltz
> --
> Programming today is a race between software engineers striving to build
> bigger and better idiot-proof programs, and the Universe trying to
> produce bigger and better idiots. So far, the Universe is winning.
>
>
>
--
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141021/c0d81b80/attachment.html>

More information about the AppArmor mailing list