[apparmor] [patch] [39/38] Ignore exec events for non-existing profiles

Christian Boltz apparmor at cboltz.de
Sun Aug 14 19:28:18 UTC 2016 

Hello,

the switch to FileRule made some bugs visible that survived unnoticed 
with hasher for years.

If aa-logprof sees an exec event for a non-existing profile _and_ a
profile file matching the expected profile filename exists in
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
being silent). In the old code, this created a superfluous entry
somewhere in the aa hasher, and caused the existing profile to be
rewritten (without changes).

However, with FileRule it causes a crash saying

      File ".../utils/apparmor/aa.py", line 1335, in handle_children
        aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
    AttributeError: 'collections.defaultdict' object has no attribute 'add'

This patch makes sure exec events for unknown profiles get ignored.



Reproducer:

    python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')

This causes a crash without this patch because
/etc/apparmor.d/sbin.klogd exists, but has
    profile klogd /{usr/,}sbin/klogd {



Even if it's unlikely that users hit this bug in the wild, I also
propose this patch for 2.10 and 2.9.



[ 39-ignore-exec-for-non-existing-profile.diff ]

=== modified file ./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2016-08-14 16:45:21.212906085 +0200
+++ utils/apparmor/aa.py        2016-08-14 21:00:26.784044693 +0200
@@ -1184,6 +1185,9 @@
                     prelog[aamode][profile][hat]['path'][path] = mode
 
                 if do_execute:
+                    if not aa[profile][hat]:
+                        continue  # ignore log entries for non-existing profiles
+
                     exec_event = FileRule(exec_target, None, FileRule.ANY_EXEC, FileRule.ALL, owner=False, log_event=True)
                     if is_known_rule(aa[profile][hat], 'file', exec_event):
                         continue



Regards,

Christian Boltz
-- 
Yes, we all write crappy software and have no idea what we are doing and
should listen to everyone who tells us to stop because they are the ones
who know best. [Greg KH in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160814/4d43124b/attachment.pgp>

More information about the AppArmor mailing list