[apparmor] [patch] Avoid raising an exception for hats in includes in aa-logprof
Steve Beattie
steve at nxnw.org
Wed Jul 8 22:35:00 UTC 2015
On Sun, Jun 21, 2015 at 07:30:32PM +0200, Christian Boltz wrote:
> aa-logprof raises an exception if
> - an include file contains a hat
> - that file is included in a profile and
> - aa-logprof hits an audit log entry for this profile
>
> Reproducer:
> python3 aa-logprof -f <(echo 'Jun 19 11:50:36 piorun kernel: [4474496.458789] audit: type=1400 audit(1434707436.696:153): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=2910 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0') -d ../profiles/apparmor.d/
>
> This happens because profiles/apparmor.d/apache2.d/phpsysinfo was
> already read when pre-loading the include files.
>
> This patch changes aa.py parse_profile_data() to only raise the
> exception if it is not handling includes currently.
>
> I'm able to reproduce this issue with trunk and 2.9 and therefore
> propose this patch for both. (Interestingly, this code exists since
> r0.1.38, and nobody noticed it yet...)
>
> [ 53-fix-logprof-for-hat-in-include.diff ]
Acked-by: Steve Beattie <steve at nxnw.org> for both trunk and 2.9.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150708/fb0ffb16/attachment.pgp>
More information about the AppArmor
mailing list