[apparmor] [patch] Fix crash in serialize_profile_from_old_profiles()
Christian Boltz
apparmor at cboltz.de
Wed Apr 8 22:04:13 UTC 2015
Hello,
Assume you have a profile like
/bin/foo {
/etc/ r,
network,
/usr/ r,
}
(important: there must be be a non-path rule between the two path blocks)
Then run aa-logprof and add another path event. When choosing (V)iew changes,
it will crash with a misleading
File ".../utils/apparmor/aamode.py", line 205, in split_mode
other = mode - user
TypeError: unsupported operand type(s) for -: 'collections.defaultdict' and 'set'
The reason for this is our beloved hasher, which is playing funny games
another time.
The patch wraps the hasher usage with a check for the parent element to
avoid auto-creation of empty childs, which then lead to the above crash.
BTW: This is another issue uncovered by the LibreOffice profile ;-)
I propose this patch for trunk and 2.9
[ 36-fix-crash-in-serialize_profile_from_old_profiles.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-04-08 23:19:51.430530492 +0200
+++ utils/apparmor/aa.py 2015-04-08 23:46:19.106608343 +0200
@@ -4125,14 +4125,17 @@
else:
tmpmode = str_to_mode(mode)
- if not write_prof_data[hat][allow]['path'][path].get('mode', set()) & tmpmode:
+ if not write_prof_data[hat][allow]['path'].get(path):
correct = False
+ else:
+ if not write_prof_data[hat][allow]['path'][path].get('mode', set()) & tmpmode:
+ correct = False
- if nt_name and not write_prof_data[hat][allow]['path'][path].get('to', False) == nt_name:
- correct = False
+ if nt_name and not write_prof_data[hat][allow]['path'][path].get('to', False) == nt_name:
+ correct = False
- if audit and not write_prof_data[hat][allow]['path'][path].get('audit', set()) & tmpmode:
- correct = False
+ if audit and not write_prof_data[hat][allow]['path'][path].get('audit', set()) & tmpmode:
+ correct = False
if correct:
if not segments['path'] and True in segments.values():
Regards,
Christian Boltz
--
ein Auto "funktioniert" auch mit eckigen Reifen, ob ich so etwas fahren
möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users]
More information about the AppArmor
mailing list