[apparmor] [patch] Avoid raising an exception for hats in includes in aa-logprof

Christian Boltz apparmor at cboltz.de
Sun Jun 21 17:30:32 UTC 2015


aa-logprof raises an exception if
- an include file contains a hat
- that file is included in a profile and
- aa-logprof hits an audit log entry for this profile

python3 aa-logprof -f <(echo 'Jun 19 11:50:36 piorun kernel: [4474496.458789] audit: type=1400 audit(1434707436.696:153): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=2910 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0') -d ../profiles/apparmor.d/

This happens because profiles/apparmor.d/apache2.d/phpsysinfo was
already read when pre-loading the include files.

This patch changes aa.py parse_profile_data() to only raise the
exception if it is not handling includes currently.

I'm able to reproduce this issue with trunk and 2.9 and therefore
propose this patch for both. (Interestingly, this code exists since
r0.1.38, and nobody noticed it yet...)

[ 53-fix-logprof-for-hat-in-include.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-06-19 21:44:46.134232664 +0200
+++ utils/apparmor/aa.py        2015-06-21 18:57:50.915891775 +0200
@@ -3008,7 +3008,7 @@
             if initial_comment:
                 profile_data[profile][hat]['initial_comment'] = initial_comment
             initial_comment = ''
-            if filelist[file]['profiles'][profile].get(hat, False):
+            if filelist[file]['profiles'][profile].get(hat, False) and not do_include:
                 raise AppArmorException(_('Error: Multiple definitions for hat %(hat)s in profile %(profile)s.') % { 'hat': hat, 'profile': profile })
             filelist[file]['profiles'][profile][hat] = True


Christian Boltz
> Der Testbug (#48) ist übrigens ein Duplikat von Bug #29 ;-)
Shit. Machst du 'nen Bugreport? :-)
[> Christian Boltz und Ratti in fontlinge-devel]

More information about the AppArmor mailing list