[apparmor] [patch] Fix crash in serialize_profile_from_old_profiles()

Christian Boltz apparmor at cboltz.de
Thu Apr 9 11:44:50 UTC 2015 

Hello,

Am Mittwoch, 8. April 2015 schrieb Seth Arnold:
> On Thu, Apr 09, 2015 at 12:04:13AM +0200, Christian Boltz wrote:
> > The patch wraps the hasher usage with a check for the parent element
> > to avoid auto-creation of empty childs, which then lead to the
> > above crash.
> This also changes the indent level of two of the tests -- is that
> intentional?

Yes, that's intentional - a test like
    if not write_prof_data[hat][allow]['path'][path].get('mode', ...):
means hasher auto-creates an empty
    write_prof_data[hat][allow]['path'][path]
which is the root cause of the crash.

With the changed indent level, the if commands that operate on childs of 
write_prof_data[hat][allow]['path'][path] are only executed if 
write_prof_data[hat][allow]['path'][path] itsself is set.

> > BTW: This is another issue uncovered by the LibreOffice profile ;-)
> > 
> > I propose this patch for trunk and 2.9
> > 
> > 
> > [ 36-fix-crash-in-serialize_profile_from_old_profiles.diff ]
> > 
> > === modified file utils/apparmor/aa.py
> > --- utils/apparmor/aa.py        2015-04-08 23:19:51.430530492 +0200
> > +++ utils/apparmor/aa.py        2015-04-08 23:46:19.106608343 +0200
> > @@ -4125,14 +4125,17 @@
> > 
> >                  else:
> >                      tmpmode = str_to_mode(mode)
> > 
> > -                if not
> > write_prof_data[hat][allow]['path'][path].get('mode', set()) &
> > tmpmode:> 
> > +                if not write_prof_data[hat][allow]['path'].get(path):
> >                      correct = False
> > 
> > +                else:
> > +                    if not
> > write_prof_data[hat][allow]['path'][path].get('mode', set()) &
> > tmpmode: +                        correct = False
> > 
> > -                if nt_name and not
> > write_prof_data[hat][allow]['path'][path].get('to', False) ==
> > nt_name: -                    correct = False
> > +                    if nt_name and not
> > write_prof_data[hat][allow]['path'][path].get('to', False) ==
> > nt_name: +                        correct = False
> > 
> > -                if audit and not
> > write_prof_data[hat][allow]['path'][path].get('audit', set()) &
> > tmpmode: -                    correct = False
> > +                    if audit and not
> > write_prof_data[hat][allow]['path'][path].get('audit', set()) &
> > tmpmode: +                        correct = False
> > 
> >                  if correct:
> >                      if not segments['path'] and True in
> >                      segments.values():


Regards,

Christian Boltz

PS: feel free so s/patterns and products/hasher/ in the random(!) sig ;-)
-- 
For patterns and products, this is - as we now learned - wrong and
confusing.  (We will probably have more such learning effects in the
future ... ;-})
[Klaus Kaempf in https://bugzilla.novell.com/show_bug.cgi?id=198379]

More information about the AppArmor mailing list