[apparmor] [patch] Fix wrong usage of write_prof_data in serialize_profile_from_old_profile()
kgupta8592 at gmail.com
Sun Feb 21 20:46:28 UTC 2016
On Sat, Dec 26, 2015 at 9:07 PM, Christian Boltz <apparmor at cboltz.de> wrote:
> write_prof_data[hat] is correct (it only contains one profile, see also
> bug 1528139), write_prof_data[profile][hat] is not and returns an empty
Reading the comments near the initialisation of write_prof_data:
# XXX this will explode if a file contains multiple profiles, see
# XXX fixing this needs lots of write_prof_data[hat] ->
write_prof_data[profile][hat] changes (and of course also a change in the
So, basically a part of the logic below is correct in that it accessed the
hat from the profile, which will again need to be added once
write_prof_data supports multiple profiles I'm guessing?
Why not copy write_prof_data[hat] to write_prof_data[profile][hat] for the
That might seem hack-ish though.
This affects RE_PROFILE_START and RE_PROFILE_BARE_FILE_ENTRY.
> I propose this patch for trunk, 2.10 and 2.9.
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py 2015-12-06 19:36:00.818745321 +0100
> +++ utils/apparmor/aa.py 2015-12-08 18:59:09.625261162 +0100
> @@ -3718,7 +3718,7 @@
> if RE_PROFILE_START.search(line):
> (profile, hat, attachment, flags, in_contained_hat,
> correct) = serialize_parse_profile_start(
> - line, prof_filename, None, profile, hat,
> write_prof_data[profile][hat]['external'], correct)
> + line, prof_filename, None, profile, hat,
> write_prof_data[hat]['profile'], write_prof_data[hat]['external'], correct)
> if not write_prof_data[hat]['name'] == profile:
> correct = False
> @@ -3954,7 +3954,7 @@
> if matches:
> audit = mode
> - path_rule =
> + path_rule = write_prof_data[hat][allow]['path'][ALL]
> if path_rule.get('mode', set()) & mode and \
> (not audit or path_rule.get('audit', set()) & audit)
> and \
> path_rule.get('file_prefix', set()):
> Christian Boltz
> programmers' biggest strength is that they're lazy bastards.
lol I should frame it and put a sign that says: "Please read it before
talking to me", but then "too lazy to do that"
> [Claudio Freire in opensuse-factory]
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AppArmor