[apparmor] [patch] Fix crash in serialize_profile_from_old_profiles()

[Christian Boltz]

Hello,

Assume you have a profile like

    /bin/foo {
      /etc/ r,
      network,
      /usr/ r,
    }

(important: there must be be a non-path rule between the two path blocks)

Then run aa-logprof and add another path event. When choosing (V)iew changes,
it will crash with a misleading

  File ".../utils/apparmor/aamode.py", line 205, in split_mode
      other = mode - user
      TypeError: unsupported operand type(s) for -: 'collections.defaultdict' and 'set'

The reason for this is our beloved hasher, which is playing funny games
another time.

The patch wraps the hasher usage with a check for the parent element to
avoid auto-creation of empty childs, which then lead to the above crash.


BTW: This is another issue uncovered by the LibreOffice profile ;-)

I propose this patch for trunk and 2.9


[ 36-fix-crash-in-serialize_profile_from_old_profiles.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-04-08 23:19:51.430530492 +0200
+++ utils/apparmor/aa.py        2015-04-08 23:46:19.106608343 +0200
@@ -4125,14 +4125,17 @@
                 else:
                     tmpmode = str_to_mode(mode)
 
-                if not write_prof_data[hat][allow]['path'][path].get('mode', set()) & tmpmode:
+                if not write_prof_data[hat][allow]['path'].get(path):
                     correct = False
+                else:
+                    if not write_prof_data[hat][allow]['path'][path].get('mode', set()) & tmpmode:
+                        correct = False
 
-                if nt_name and not write_prof_data[hat][allow]['path'][path].get('to', False) == nt_name:
-                    correct = False
+                    if nt_name and not write_prof_data[hat][allow]['path'][path].get('to', False) == nt_name:
+                        correct = False
 
-                if audit and not write_prof_data[hat][allow]['path'][path].get('audit', set()) & tmpmode:
-                    correct = False
+                    if audit and not write_prof_data[hat][allow]['path'][path].get('audit', set()) & tmpmode:
+                        correct = False
 
                 if correct:
                     if not segments['path'] and True in segments.values():



Regards,

Christian Boltz
-- 
ein Auto "funktioniert"  auch mit eckigen Reifen, ob ich so etwas fahren
möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users]