[apparmor] [patch] Fix crash in serialize_profile_from_old_profiles()
Christian Boltz
apparmor at cboltz.de
Thu Apr 9 11:44:50 UTC 2015
Hello,
Am Mittwoch, 8. April 2015 schrieb Seth Arnold:
> On Thu, Apr 09, 2015 at 12:04:13AM +0200, Christian Boltz wrote:
> > The patch wraps the hasher usage with a check for the parent element
> > to avoid auto-creation of empty childs, which then lead to the
> > above crash.
> This also changes the indent level of two of the tests -- is that
> intentional?
Yes, that's intentional - a test like
if not write_prof_data[hat][allow]['path'][path].get('mode', ...):
means hasher auto-creates an empty
write_prof_data[hat][allow]['path'][path]
which is the root cause of the crash.
With the changed indent level, the if commands that operate on childs of
write_prof_data[hat][allow]['path'][path] are only executed if
write_prof_data[hat][allow]['path'][path] itsself is set.
> > BTW: This is another issue uncovered by the LibreOffice profile ;-)
> >
> > I propose this patch for trunk and 2.9
> >
> >
> > [ 36-fix-crash-in-serialize_profile_from_old_profiles.diff ]
> >
> > === modified file utils/apparmor/aa.py
> > --- utils/apparmor/aa.py 2015-04-08 23:19:51.430530492 +0200
> > +++ utils/apparmor/aa.py 2015-04-08 23:46:19.106608343 +0200
> > @@ -4125,14 +4125,17 @@
> >
> > else:
> > tmpmode = str_to_mode(mode)
> >
> > - if not
> > write_prof_data[hat][allow]['path'][path].get('mode', set()) &
> > tmpmode:>
> > + if not write_prof_data[hat][allow]['path'].get(path):
> > correct = False
> >
> > + else:
> > + if not
> > write_prof_data[hat][allow]['path'][path].get('mode', set()) &
> > tmpmode: + correct = False
> >
> > - if nt_name and not
> > write_prof_data[hat][allow]['path'][path].get('to', False) ==
> > nt_name: - correct = False
> > + if nt_name and not
> > write_prof_data[hat][allow]['path'][path].get('to', False) ==
> > nt_name: + correct = False
> >
> > - if audit and not
> > write_prof_data[hat][allow]['path'][path].get('audit', set()) &
> > tmpmode: - correct = False
> > + if audit and not
> > write_prof_data[hat][allow]['path'][path].get('audit', set()) &
> > tmpmode: + correct = False
> >
> > if correct:
> > if not segments['path'] and True in
> > segments.values():
Regards,
Christian Boltz
PS: feel free so s/patterns and products/hasher/ in the random(!) sig ;-)
--
For patterns and products, this is - as we now learned - wrong and
confusing. (We will probably have more such learning effects in the
future ... ;-})
[Klaus Kaempf in https://bugzilla.novell.com/show_bug.cgi?id=198379]
More information about the AppArmor
mailing list