[apparmor] [PATCH] utils: Don't use access() to determine readability of profiles file

Steve Beattie steve at nxnw.org
Fri Jun 19 23:00:19 UTC 2015 

On Fri, Jun 19, 2015 at 11:05:16AM -0500, Tyler Hicks wrote:
> LSMs, such as AppArmor, aren't consulted when a program calls access(2).
> This can result in access(2) returning 0 but a subsequent open(2)
> failing.
> 
> The aa-status utility was doing the access() -> open() sequence and we
> became aware of a large number of tracebacks due to open() failing for
> lack of permissions. This patch catches any IOError exceptions thrown by
> open(). It continues to print the same error message as before when
> access() failed but also prints that error message when AppArmor blocks
> the open of the apparmorfs profiles file.
> 
> https://launchpad.net/bugs/1466768
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Something goes horribly wrong with your patch applied, and I'm not sure
why:

$ sudo ./aa-status --profiled
96
$ sudo python3  ./aa-status --profiled
96
$ quilt push
Applying patch ../patches/aa-status-crash.patch
patching file utils/aa-status

Now at patch ../patches/aa-status-crash.patch
$ sudo ./aa-status --profiled
Traceback (most recent call last):
  File "./aa-status", line 201, in <module>
    commands[cmd]()
  File "./aa-status", line 22, in cmd_profiled
    profiles = get_profiles()
  File "./aa-status", line 99, in get_profiles
    profiles[match.group(1)] = match.group(2)
TypeError: 'unicode' object does not support item assignment
$ sudo python3  ./aa-status --profiled
Traceback (most recent call last):
  File "./aa-status", line 201, in <module>
    commands[cmd]()
  File "./aa-status", line 22, in cmd_profiled
    profiles = get_profiles()
  File "./aa-status", line 99, in get_profiles
    profiles[match.group(1)] = match.group(2)
TypeError: 'str' object does not support item assignment

I'm trying to dig into it.
-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150619/5a687335/attachment.pgp>

More information about the AppArmor mailing list