[apparmor] [patch] Initialize child profile in handle_children()

Christian Boltz apparmor at cboltz.de
Sun Jul 12 16:51:49 UTC 2015


*** important patch for 2.10 ***

TL;DR: the answer is "yes" ;-)
(see the patch for the question...)

Long version:
When creating a new child profile with aa-logprof or aa-genprof, the
child profile wasn't properly initialized in handle_children(), which
lead to a crash in delete_duplicates() later because capability etc.
was not set to a CapabilityRuleset etc. class and therefore
profile['capability'] didn't have a .delete_duplicates() method.

Funnily there was already a comment "do we need to init the profile here?" 

This patch replaces the question in the comment with the answer.

Also add some TODO notes for cases where rules of an existing child
profile could be overwritten. I didn't test those cases, but the code
looks like it's doing that.

[ 74-handle_children-fix-child-init.diff ]

diff -ru '--exclude=.bzr' ../HEAD-patches-applied/utils/apparmor/aa.py ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-07-12 17:54:34.369098430 +0200
+++ ./utils/apparmor/aa.py      2015-07-12 18:31:41.372523682 +0200
@@ -1464,7 +1464,8 @@
                                 ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')
                             if ynans == 'y':
                                 hat = exec_target
-                                # XXX do we need to init the profile here?
+                                if not aa[profile].get(hat, False):
+                                    aa[profile][hat] = profile_storage()
                                 aa[profile][hat]['profile'] = True
                                 if profile != hat:
@@ -1474,10 +1475,12 @@
                                 aa[profile][hat]['flags'] = 'complain'
+                                # XXX ... = hasher() probably superfluous, and stub_profile probably overwrites existing child profile
                                 aa[profile][hat]['allow']['path'] = hasher()
                                 if stub_profile[hat][hat]['allow'].get('path', False):
                                     aa[profile][hat]['allow']['path'] = stub_profile[hat][hat]['allow']['path']
+                                # XXX ... = hasher() probably superfluous, and stub_profile probably overwrites existing child profile
                                 aa[profile][hat]['include'] = hasher()
                                 if stub_profile[hat][hat].get('include', False):
                                     aa[profile][hat]['include'] = stub_profile[hat][hat]['include']


Christian Boltz
Sich aktiv an Wikipedia beteiligen habe ich versucht.
Es war grausam. Dagegen ist das Heise-Forum ein Streichelzoo.
[Charly Kuehnast zu http://vvv.koehntopp.de/wpkris/?p=739032]

More information about the AppArmor mailing list