[apparmor] [patch] Fix name_to_prof_filename() error behaviour

Christian Boltz apparmor at cboltz.de
Sun Jul 19 18:51:43 UTC 2015 

Hello,

in some cases, the return value of name_to_prof_filename() is undefined.                                                                                     
This happens when deleting the to-be-confined binary while running
aa-genprof and leads to a not-too-helpful
    File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 265, in enforce
              prof_filename, name = name_to_prof_filename(path)
        TypeError: 'NoneType' object is not iterable

(reported by maslen on IRC)

This patch makes sure name_to_prof_filename() always returns None, None
(instead of undefined aka just None) so that at least the caller can
successfully split it into two None values.

For the exotic aa-genprof usecase given above, this at least improves
the error message to
    Can't find $binary_name
(raised by enforce() via fatal_error())


The patch also changes fatal_error() to display the traceback first, and
the human-readable message at the end, which makes it more likely that
the user actually notices the human-readable message.


I propose this patch for trunk and 2.9.


[ 80-name_to_prof_filename-better-error-behaviour.diff ]

--- utils/apparmor/aa.py        2015-07-19 13:08:29.274534429 +0200
+++ ./utils/apparmor/aa.py      2015-07-19 20:45:05.298955097 +0200
@@ -150,8 +150,8 @@
     # Get the traceback to the message
     tb_stack = traceback.format_list(traceback.extract_stack())
     tb_stack = ''.join(tb_stack)
-    # Append the traceback to message
-    message = message + '\n' + tb_stack
+    # Add the traceback to message
+    message = tb_stack + '\n\n' + message
     debug_logger.error(message)
     caller = inspect.stack()[1][3]
 
@@ -257,8 +257,8 @@
             prof_filename = get_profile_filename(bin_path)
             if os.path.isfile(prof_filename):
                 return (prof_filename, bin_path)
-            else:
-                return None, None
+
+    return None, None
 
 def complain(path):
     """Sets the profile to complain mode if it exists"""


Regards,

Christian Boltz
-- 
>kann mir jemand sagen, wie ich aus einer aktuellen WindowMaker-Ober-
>fläche ne neue Sitzung starte, ohne die aktuelle Oberfläche zu beenden?
Ahem, Sitzung? Geh' ins Klo, setz dich nieder und ...
Oder was meinst du mit "Sitzung"?
[> Udo Gerhards und David Haller in suse-linux]

More information about the AppArmor mailing list