[apparmor] [patch] Don't store exec modes in transtions[]

Christian Boltz apparmor at cboltz.de
Sun Mar 20 13:58:45 UTC 2016


Hello,

Am Samstag, 19. März 2016, 11:55:09 CET schrieb Steve Beattie:
> On Sun, Feb 21, 2016 at 03:00:06PM +0100, Christian Boltz wrote:
> > exec choices are stored in transitions[], but that's never used
> > (and I don't see a need for it), therefore stop storing it.
> > 
> > 
> > [ 73-exec-transitions.diff ]
> > 
> > === modified file 'utils/apparmor/aa.py'
> > --- utils/apparmor/aa.py        2016-02-20 12:32:36 +0000
> > +++ utils/apparmor/aa.py        2016-02-21 13:50:24 +0000
> > @@ -1205,7 +1205,6 @@
> > 
> >                          context_new = context_new + '^%s' % hat
> >                      
> >                      context_new = context_new + ' -> %s' %
> >                      exec_target
> > 
> > -                    # ans_new = transitions.get(context_new, '')  #
> > XXX ans meant here?> 
> >                      combinedmode = set()
> >                      combinedaudit = set()
> >                      ## Check return Value Consistency
> > 
> > @@ -1415,7 +1414,6 @@
> > 
> >                                          exec_mode = exec_mode -
> >                                          (apparmor.aamode.AA_EXEC_U
> >                                          NSAFE |
> >                                          AA_OTHER(apparmor.aamode.A
> >                                          A_EXEC_UNSAFE))>                                  
> >                                  else:
> >                                      ans = 'INVALID'
> > 
> > -                        transitions[context_new] = ans
> > 
> >                          regex_options =
> >                          re.compile('CMD_(ix|px|cx|nx|pix|cix|nix)'
> >                          )
> 
> >                          if regex_options.search(ans):
> Are you sure about that? I see in handle_children():
> 
>  
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/
> utils/apparmor/aa.py#L1075
> 
>   1075                ans = transitions.get(context, 'XXXINVALIDXXX')
>   1076
>   1077		      while ans not in ['CMD_ADDHAT', 'CMD_USEDEFAULT',
> 'CMD_DENY']:
> 
> and transitions is a global hasher() object.
> 
> But I've only looked at this cursorily, so don't claim any real
> understanding of what's going on (or not going on) here.

'transitions' is currently used for storing two not-too-related things:

The code you quoted is about hats, and it's looking for 'CMD_ADDHAT', 
'CMD_USEDEFAULT' and 'CMD_DENY'. That part is useful and will stay.
(Maybe we should rename 'transitions' to a better name (hat_choices?), 
but that's a cosmetic issue.)

The code I want to remove stores the exec choice (CMD_ix, CMD_px etc.) - 
and that information isn't used anywhere (= storing it is superfluous).
Instead, profile_known_exec() is used to check if we need to ask for 
adding an exec rule or if we already have one.


Regards,

Christian Boltz
-- 
Möglicherweise laufe ich sogar mit fliegenden Fahnen von Gnome zu KDE
über. Jedenfalls, bis sich das Gnome-Projekt dazu entschliesst, Nautilus
durch /irgendwas/ zu ersetzen. Notfalls eine Parkuhr oder einen
Bratenwender. Aber nicht dieses.... "Ding". [Ratti in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160320/46a68a97/attachment.pgp>


More information about the AppArmor mailing list