[apparmor] [patch] Fix wrong usage of write_prof_data in serialize_profile_from_old_profile()

Kshitij Gupta kgupta8592 at gmail.com
Sun Feb 21 20:46:28 UTC 2016 

On Sat, Dec 26, 2015 at 9:07 PM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> write_prof_data[hat] is correct (it only contains one profile, see also
> bug 1528139), write_prof_data[profile][hat] is not and returns an empty
> (sub)hasher.
>
> Hmm...

Reading the comments near the initialisation of write_prof_data:
# XXX this will explode if a file contains multiple profiles, see
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
# XXX fixing this needs lots of write_prof_data[hat] ->
write_prof_data[profile][hat] changes (and of course also a change in the
calling code)

So, basically a part of the logic below is correct in that it accessed the
hat from the profile, which will again need to be added once
write_prof_data supports multiple profiles I'm guessing?

Why not copy write_prof_data[hat] to write_prof_data[profile][hat] for the
time-being?
That might seem hack-ish though.

This affects RE_PROFILE_START and RE_PROFILE_BARE_FILE_ENTRY.
>
>
> I propose this patch for trunk, 2.10 and 2.9.
>
>
> [
> 46-serialize_profile_from_old_profile-fix-wrong-access-to-write_prof_data.diff
> ]
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py        2015-12-06 19:36:00.818745321 +0100
> +++ utils/apparmor/aa.py        2015-12-08 18:59:09.625261162 +0100
> @@ -3718,7 +3718,7 @@
>              if RE_PROFILE_START.search(line):
>
>                  (profile, hat, attachment, flags, in_contained_hat,
> correct) = serialize_parse_profile_start(
> -                        line, prof_filename, None, profile, hat,
> write_prof_data[profile][hat]['profile'],
> write_prof_data[profile][hat]['external'], correct)
> +                        line, prof_filename, None, profile, hat,
> write_prof_data[hat]['profile'], write_prof_data[hat]['external'], correct)
>
>                  if not write_prof_data[hat]['name'] == profile:
>                      correct = False
> @@ -3954,7 +3954,7 @@
>                  if matches[0]:
>                      audit = mode
>
> -                path_rule =
> write_prof_data[profile][hat][allow]['path'][ALL]
> +                path_rule = write_prof_data[hat][allow]['path'][ALL]
>                  if path_rule.get('mode', set()) & mode and \
>                     (not audit or path_rule.get('audit', set()) & audit)
> and \
>                     path_rule.get('file_prefix', set()):
>
>
> Regards,
>
> Christian Boltz
> --
> programmers' biggest strength is that they're lazy bastards.
>
lol I should frame it and put a sign that says: "Please read it before
talking to me", but then "too lazy to do that"


> [Claudio Freire in opensuse-factory]
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>


-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160222/b8c9828d/attachment-0001.html>

More information about the AppArmor mailing list