[apparmor] [patch] [2.9] Fix crash in profile_known_network() and profile_known_capability() with #include <directory>

Christian Boltz apparmor at cboltz.de
Sat Jul 4 18:46:34 UTC 2015 

Hello,

preamble: this is the 2.9 version of 
61-is_known_rule-check-directory-includes.diff.

Since the patch "only" ignores include directories, the 
60-split-off-include_dir_filelist.diff patch is not really needed for 
2.9 - but it shouldn't hurt ;-)


$subject ;-)

Ignore include files that were not read before (= don't exist in
include[], which typically happens for #include <directory>) so that
the profile_known_*() functions don't crash.

Note: Since the 2.9 code is too different, this patch only avoids the
crash, but doesn't ensure that the files in the included directory are
honored (which would need in a rewrite of the profile_known_*()
functions).

BTW: I tested with a network log entry and hope the best for
profile_known_capability() ;-)

References: https://bugs.launchpad.net/apparmor/+bug/1471425
(includes reproducer)



[ 61-2.9-profile_known_network-and-capability-fix-dir-include-crash.diff ]

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2015-06-19 19:18:53 +0000
+++ utils/apparmor/aa.py        2015-07-04 18:29:56 +0000
@@ -4377,6 +4377,11 @@
         return 1
 
     for incname in profile['include'].keys():
+        if not include.get(incname):
+            # incname was not read before, might be a directory.
+            # just avoid a crash (2.10 even checks all files inside the directory).
+            # See https://bugs.launchpad.net/apparmor/+bug/1471425 for details.
+            continue
         if include[incname][incname]['deny']['capability'][capname].get('set', False):
             return -1
         if include[incname][incname]['allow']['capability'][capname].get('set', False):
@@ -4391,6 +4396,11 @@
         return 1
 
     for incname in profile['include'].keys():
+        if not include.get(incname):
+            # incname was not read before, might be a directory.
+            # just avoid a crash (2.10 even checks all files inside the directory).
+            # See https://bugs.launchpad.net/apparmor/+bug/1471425 for details.
+            continue
         if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):
             return -1
         if netrules_access_check(include[incname][incname]['allow']['netdomain'], family, sock_type):



Regards,

Christian Boltz
-- 
> ....Ommmmmm    ....Ommmmmm    .....Ommmmmm
> Pendel ----Pendel-----Pendel------
Mensch Axel: Sonst machst Du das doch mit der Glaskugel. Ist die schon
wieder in der Spülmaschine? [Axel Lindlau u. Volker Kroll in suse-linux]

More information about the AppArmor mailing list