[apparmor] [patch] Ignore change hat declarations when parsing a profile
Kshitij Gupta
kgupta8592 at gmail.com
Thu Jun 18 15:38:58 UTC 2015
On Thu, Jun 18, 2015 at 9:07 PM, Kshitij Gupta <kgupta8592 at gmail.com> wrote:
> Hello,
>
> On Sun, Jun 7, 2015 at 5:55 PM, Christian Boltz <apparmor at cboltz.de>
> wrote:
>
>> Hello,
>>
>> Hat declarations ("^hat,") were added in 2.3 for declaring external
>> hats, but in the meantime aren't supported by the parser anymore (tested
>> with 2.9.2 parser).
>>
>> Additionally, if a profile contains both a hat declaration and the hat
>> ("^hat { ...}"), the hat declaration can overwrite the content of the
>> hat on a "last one wins" base.
>>
>> This is caused by setting 'declared' to True, which means write_piece()
>> will only write the "^hat," line, but not the "^hat { ... }" block.
>>
>> Therefore no longer set 'declared' to True, print a warning that hat
>> declarations are no longer supported, and ignore the rule. This also
>> means that running aa-cleanprof can make the profile valid again :-)
>>
>> Also no longer change 'hat' when hitting a profile declaration, which
>> also looks wrong.
>>
>>
>> Note: This change removes the only usage of 'declared'. A follow-up
>> patch (trunk only) will completely remove the 'declared' handling.
>>
>>
>> Reproducer profile (run aa-cleanprof on it):
>> (will crash in remove_duplicate_rules() 80% of the time - if so, try
>> multiple times. One of the next patches will fix that. Or just try 2.9,
>> which doesn't have the crash in remove_duplicate_rules().)
>>
>> /usr/bin/true {
>>
>> ^FOO {
>> capability setgid,
>> }
>>
>> # deletes the content of ^FOO when saving the profile! (last one wins)
>> # additionally, the parser says this is invalid syntax
>> ^FOO,
>>
>> }
>>
>>
>> See also the "Hat declarations" thread on the ML,
>> https://lists.ubuntu.com/archives/apparmor/2015-June/008107.html
>>
>>
>> I propose this patch for trunk and 2.9.
>>
>>
>> [ 46-obsolete-change-hat.diff ]
>>
>> === modified file utils/apparmor/aa.py
>> --- utils/apparmor/aa.py 2015-06-06 14:54:10.584133536 +0200
>> +++ utils/apparmor/aa.py 2015-06-07 13:06:52.764908018 +0200
>> @@ -2992,11 +2992,8 @@
>> if not profile:
>> raise AppArmorException(_('Syntax Error: Unexpected
>> change hat declaration found in file: %(file)s line: %(line)s') % { 'file':
>> file, 'line': lineno + 1 })
>>
>> - hat = matches[0]
>> - hat = strip_quotes(hat)
>> -
>> - if not profile_data[profile][hat].get('declared', False):
>> - profile_data[profile][hat]['declared'] = True
>> + aaui.UI_Important(_('Ignoring no longer supported change hat
>> declaration "^%(hat)s," found in file: %(file)s line: %(line)s') % {
>> + 'hat': matches[0], 'file': file, 'line': lineno + 1
>> })
>>
>> elif RE_PROFILE_HAT_DEF.search(line):
>> # An embedded hat syntax definition starts
>>
>> On the long term could we entirely do away with this regex and code block?
>
> Thanks for the patch.
>
> Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.
>
> for both 2.9 and trunk.
>
>
>>
>> Regards,
>>
>> Christian Boltz
>> --
>> > Leider Gottes ist es so, daß wenn man einen Spammer zu Strecke
>> > gebracht hat, dafür drei neue auftauchen.
>> Das ist wie bei den Fliegen. Schlägst Du eine Tot, kommen 40 zur
>> Beerdigung. ;) [> Martin Mewes und Michael Raab in suse-linux]
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150618/60dce6cc/attachment.html>
More information about the AppArmor
mailing list