[apparmor] [patch] let parse_profile_data() check for in-file duplicate profiles

Christian Boltz apparmor at cboltz.de
Sun May 17 21:28:52 UTC 2015 

Hello,

this patch adds a check to parse_profile_data() to detect if a file 
contains two profiles with the same name.

Note: Two profiles with the same name, but in different files, won't be
detected by this check.

Also add basic tests to ensure that a valid profile gets parsed, and two
profiles with the same name inside the same file raise an exception.

(Sidenote: these simple tests improve aa.py coverage from 9% to 12%,
which also confirms the function is too long ;-)


[ 11-parse_profile_data-check-in-file-duplicates.diff ]

=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-05-17 21:01:43.242707282 +0200
+++ utils/apparmor/aa.py        2015-05-17 22:52:42.724981850 +0200
@@ -2638,6 +2647,11 @@
         # Starting line of a profile
         if RE_PROFILE_START.search(line):
             (profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
+
+            if profile_data[profile].get(hat, False):
+                raise AppArmorException('Profile %(profile)s defined twice in %(file)s, last found in line %(line)s' %
+                    { 'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat) })
+
             if attachment:
                 profile_data[profile][hat]['attachment'] = attachment
             if pps_set_profile:
=== modified file utils/test/test-aa.py
--- utils/test/test-aa.py       2015-05-17 22:58:08.045895428 +0200
+++ utils/test/test-aa.py       2015-05-17 23:17:34.462485547 +0200
@@ -13,7 +13,8 @@
 from common_test import AATest, setup_all_loops
 from common_test import read_file, write_file
 
-from apparmor.aa import check_for_apparmor, get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir, parse_profile_start, separate_vars, store_list_var, write_header, serialize_parse_profile_start
+from apparmor.aa import (check_for_apparmor, get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
+     parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header, serialize_parse_profile_start)
 from apparmor.common import AppArmorException, AppArmorBug
 
 class AaTestWithTempdir(AATest):
@@ -381,6 +382,21 @@
         with self.assertRaises(AppArmorBug):
             self._parse('xy', '/bar', '/bar') # not a profile start
 
+class AaTest_parse_profile_data(AATest):
+    def test_parse_empty_profile_01(self):
+        prof = parse_profile_data('/foo {\n}\n'.split(), 'somefile', False)
+
+        self.assertEqual(list(prof.keys()), ['/foo'])
+        self.assertEqual(list(prof['/foo'].keys()), ['/foo'])
+        self.assertEqual(prof['/foo']['/foo']['name'], '/foo')
+        self.assertEqual(prof['/foo']['/foo']['filename'], 'somefile')
+        self.assertEqual(prof['/foo']['/foo']['flags'], None)
+
+    def test_parse_empty_profile_02(self):
+        with self.assertRaises(AppArmorException):
+            # file contains two profiles with the same name
+            parse_profile_data('profile /foo {\n}\nprofile /foo {\n}\n'.split(), 'somefile', False)
+
 class AaTest_separate_vars(AATest):
     tests = [
         (''                             , set()                      ),



Regards,

Christian Boltz
-- 
> You cannot mix selections and patterns in a product - and we
> will remove all selection support now.
AAARRRRRRGGGGGG. Needing to re-write makeSUSEdvd again. ;-)
It looks like you do all this on purpose, just to anoy me. :-D
[> Andreas Jaeger and houghi in opensuse]

More information about the AppArmor mailing list