[apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules
Steve Beattie
steve at nxnw.org
Mon Apr 13 18:44:56 UTC 2015
On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
> Hello,
>
> CleanProf.remove_duplicate_rules() didn't call
> $profile['capability'].delete_duplicates()
> because aa-cleanprof sets same_file=True.
>
> Fix this by calling delete_duplicates(None) so that it
> only checks the profile against itsself.
>
> [ 43-cleanprof-do-in-profile-run.diff ]
>
> === modified file 'utils/apparmor/cleanprofile.py'
> --- utils/apparmor/cleanprofile.py 2014-12-16 22:13:25 +0000
> +++ utils/apparmor/cleanprofile.py 2015-04-11 22:35:00 +0000
> @@ -67,6 +67,8 @@
> #Clean the duplicates of caps in other profile
> if not self.same_file:
> deleted += self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
> + else:
> + deleted += self.other.aa[program][hat]['capability'].delete_duplicates(None)
>
> #Clean the duplicates of path in other profile
> deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'allow', self.same_file)
>
This patch does not seem to do what you claim it does:
ubuntu at vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 11:41:53 2015
#include <tunables/global>
/bin/true {
#include <abstractions/base>
capability setuid,
capability setuid,
audit /bin/true ix,
}
ubuntu at vivid-amd64:~/bzr/apparmor/utils$ quilt diff
Index: utils/apparmor/cleanprofile.py
===================================================================
--- utils/apparmor/cleanprofile.py.orig
+++ utils/apparmor/cleanprofile.py
@@ -67,6 +67,8 @@ class CleanProf(object):
#Clean the duplicates of caps in other profile
if not self.same_file:
deleted +=
self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
+ else:
+ deleted += self.other.aa[program][hat]['capability'].delete_duplicates(None)
#Clean the duplicates of path in other profile
deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'allow', self.same_file)
ubuntu at vivid-amd64:~/bzr/apparmor/utils$ PYTHONPATH=$PWD ./aa-cleanprof
-d ~/tmp/aa-test/ /bin/true
Deleted 0 rules.
= Changed Local Profiles =
The local profile for /bin/true in file /home/ubuntu/tmp/aa-test/bin.true was changed. Would you like to save it?
(S)ave Changes / [(V)iew Changes] / Abo(r)t
--- /home/ubuntu/tmp/aa-test/bin.true 2015-04-13 11:41:53.738751583 -0700
+++ /tmp/tmpFoJrhN 2015-04-13 11:43:17.098747948 -0700
@@ -1,4 +1,3 @@
-# Last Modified: Mon Apr 13 11:41:53 2015
#include <tunables/global>
/bin/true {
= Changed Local Profiles =
The local profile for /bin/true in file /home/ubuntu/tmp/aa-test/bin.true was changed. Would you like to save it?
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/true.
ubuntu at vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 11:43:20 2015
#include <tunables/global>
/bin/true {
#include <abstractions/base>
capability setuid,
capability setuid,
audit /bin/true ix,
}
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150413/691f9991/attachment.pgp>
More information about the AppArmor
mailing list