[apparmor] [patch] Check for duplicate profiles

Kshitij Gupta kgupta8592 at gmail.com
Sun Aug 2 18:36:06 UTC 2015


Hello,

Sorry for the delayed reviews.
On Tue, Jul 21, 2015 at 1:33 AM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> having two profiles for the same binary is "technically allowed", but it
> leads to interesting[tm] behaviour because one of them "wins" depending
> on the load order. To make things even more interesting, the kernel load
> order can be different from the tools load order, leading to even more
> fun.
>
> Short version: you do _not_ want that situation ;-)
>
> This patch adds a duplicate check to attach_profile_data() so that it
> errors out if it finds duplicate profiles or hats, and lists the profile
> files that contain them.
>
>
> This is a nice-to-have for 2.9 too ;-)  - but needs the error handling
> backported because the exception contains \n (which will be displayed
> as literal '\n' in 2.9 as long as it uses the native python exception
> handling)
>
> I can live with a '\n' in the error message for now in 2.9.

>
>
> [ 82-check-for-duplicate-profiles.diff ]
>
> diff -ru '--exclude=.bzr' ../HEAD-patches-applied/utils/apparmor/aa.py
> ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-07-20 21:49:17.017253150 +0200
> +++ ./utils/apparmor/aa.py      2015-07-20 21:49:06.019905353 +0200
> @@ -2517,6 +2517,13 @@
>      # Make deep copy of data to avoid changes to
>      # arising due to mutables
>      for p in profile_data.keys():
> +        if profiles.get(p, False):
> +            for hat in profile_data[p].keys():
> +                if profiles[p].get(hat, False):
> +                    raise AppArmorException(_("Conflicting profiles for
> %s defined in two files:\n- %s\n- %s") %
> +                            # 'filename' is not set for hats, therefore
> print the filename of the main profile
> +                            (combine_name(p, hat),
> profiles[p][p]['filename'], profile_data[p][p]['filename']))
> +
>          profiles[p] = deepcopy(profile_data[p])
>
>
>

> Thanks for the patch.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com> for both trunk and 2.9.



>
>
> Regards,
>
> Christian Boltz
> --
> Sieh an,  ein Dichter und Denker,  obwohl er sicherlich nicht
> mehr ganz dicht ist und auch nicht mehr oft denkt, sonst wäre
> er ja nicht bei uns gelandet ;D    [Alex Klein in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>



-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150803/a0622b3d/attachment.html>


More information about the AppArmor mailing list