[apparmor] [patch] Check for duplicate profiles

[Christian Boltz]

Hello,

having two profiles for the same binary is "technically allowed", but it
leads to interesting[tm] behaviour because one of them "wins" depending
on the load order. To make things even more interesting, the kernel load
order can be different from the tools load order, leading to even more
fun.

Short version: you do _not_ want that situation ;-)

This patch adds a duplicate check to attach_profile_data() so that it
errors out if it finds duplicate profiles or hats, and lists the profile
files that contain them.


This is a nice-to-have for 2.9 too ;-)  - but needs the error handling 
backported because the exception contains \n (which will be displayed
as literal '\n' in 2.9 as long as it uses the native python exception 
handling)



[ 82-check-for-duplicate-profiles.diff ]

diff -ru '--exclude=.bzr' ../HEAD-patches-applied/utils/apparmor/aa.py ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-07-20 21:49:17.017253150 +0200
+++ ./utils/apparmor/aa.py      2015-07-20 21:49:06.019905353 +0200
@@ -2517,6 +2517,13 @@
     # Make deep copy of data to avoid changes to
     # arising due to mutables
     for p in profile_data.keys():
+        if profiles.get(p, False):
+            for hat in profile_data[p].keys():
+                if profiles[p].get(hat, False):
+                    raise AppArmorException(_("Conflicting profiles for %s defined in two files:\n- %s\n- %s") %
+                            # 'filename' is not set for hats, therefore print the filename of the main profile
+                            (combine_name(p, hat), profiles[p][p]['filename'], profile_data[p][p]['filename']))
+
         profiles[p] = deepcopy(profile_data[p])
 
 



Regards,

Christian Boltz
-- 
Sieh an,  ein Dichter und Denker,  obwohl er sicherlich nicht
mehr ganz dicht ist und auch nicht mehr oft denkt, sonst wäre
er ja nicht bei uns gelandet ;D    [Alex Klein in suse-linux]