[apparmor] regression introduced by this series
Steve Beattie
steve at nxnw.org
Tue Sep 27 00:46:31 UTC 2016
On Mon, Sep 26, 2016 at 05:40:37PM -0700, Steve Beattie wrote:
> On Fri, Aug 12, 2016 at 10:40:39PM +0200, Christian Boltz wrote:
> > this patch series introduces the FileRule and FileRuleset classes and
> > changes several code sections to use these classes instead of the old
> > 'path' hasher.
> >
> > the switch to FileRule made some bugs visible that survived unnoticed
> > with hasher for years.
>
> I've found a regression that occurs once patch
> 14-switch-to-FileRule.diff is applied (but still occurs with the entire
> sequence applied), and occurs under either python2 or python3.
>
> When merging two profiles that contain the following:
>
> == PROFILE A ==
> #include <tunables/global>
>
> /usr/lib/postfix/smtpd {
> #include <abstractions/ssl_certs>
> #include <abstractions/ssl_keys>
>
> capability dac_override,
> capability dac_read_search,
>
> /usr/lib/postfix/smtpd rix,
> /usr/sbin/postdrop rpx,
>
> }
> == PROFILE B ==
> #include <tunables/global>
>
> /usr/lib/postfix/smtpd {
> #include <abstractions/openssl>
>
> capability dac_override,
> capability dac_read_search,
>
> /usr/lib/postfix/smtpd rmix,
> /usr/sbin/postdrop rPx,
>
> }
> == END PROFILES ==
>
> i.e. their differences are:
>
> --- usr.lib.postfix.smtpd 2016-09-26 17:30:35.848884709 -0700
> +++ ../usr.lib.postfix.smtpd 2016-09-26 17:30:44.620874325 -0700
> @@ -12,13 +12,12 @@
> #include <tunables/global>
>
> /usr/lib/postfix/smtpd {
> - #include <abstractions/ssl_certs>
> - #include <abstractions/ssl_keys>
> + #include <abstractions/openssl>
>
> capability dac_override,
> capability dac_read_search,
>
> - /usr/lib/postfix/smtpd rix,
> - /usr/sbin/postdrop rpx,
> + /usr/lib/postfix/smtpd rmix,
> + /usr/sbin/postdrop rPx,
>
> }
>
> Running aa-mergeprof fails, if the added include for
> abstractions/openssl is allowed, followed by adjusting the postdrop
> permissions, like so:
>
> == BEGIN OUTPUT ==
>
> Merging profile for /usr/lib/postfix/smtpd
>
> File includes: Select the ones you wish to add
>
> [1 - #include <abstractions/openssl>]
> [(A)llow] / (I)gnore / Abo(r)t / (F)inish
> Adding #include <abstractions/openssl> to the file.
>
> Path: /usr/sbin/postdrop
> Select the appropriate mode:
>
> [1 - /usr/sbin/postdrop rpx,]
> 2 - /usr/sbin/postdrop rPx,
> (A)llow / Abo(r)t
>
> Path: /usr/sbin/postdrop
> Select the appropriate mode:
>
> 1 - /usr/sbin/postdrop rpx,
> [2 - /usr/sbin/postdrop rPx,]
> (A)llow / Abo(r)t
To clarify, after selecting option 2, I've now selected (A)llow,
and then the traceback occurs when aa-mergeprof moves on to handle
the difference on the /usr/lib/postfix/smtpd permissions.
Dropping the openssl include difference, or even simply responding
to the openssl prompt with (I)gnore also causes it not to be triggered.
> Traceback (most recent call last):
> File "./aa-mergeprof", line 457, in <module>
> main()
> File "./aa-mergeprof", line 126, in main
> act([user_file, base_file, None], 2, profile_name)
> File "./aa-mergeprof", line 144, in act
> mergeprofiles.ask_the_questions('base', merging_profile)
> File "./aa-mergeprof", line 331, in ask_the_questions
> if is_known_rule(aa[profile][hat], ruletype, rule_obj):
> File "${HOME}/bzr/apparmor-master/utils/apparmor/aa.py", line 3498, in is_known_rule
> if include[incname][incname].get(rule_type, False):
> KeyError: 'abstractions/openssl'
>
>
> An unexpected error occoured!
>
> For details, see /tmp/apparmor-bugreport-03m_vh3s.txt
> Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
> and attach this file.
>
> == END OUTPUT ==
>
> and here's the contents of the bugreport file. Hope this all helps track
> down what's gone wrong:
>
> KeyError
> Python 3.5.2: /usr/bin/python3
> Mon Sep 26 17:32:12 2016
>
> A problem occurred in a Python script. Here is the sequence of
> function calls leading up to the error, in the order they occurred.
>
> ${HOME}/bzr/apparmor-master/utils/aa-mergeprof in <module>()
> 448
> 449 edit_rule_obj.store_edit(newpath)
> 450 options, default_option = add_to_options(options, edit_rule_obj.get_raw())
> 451 apparmor.aa.user_globs[newpath] = AARE(newpath, True)
> 452
> 453 else:
> 454 done = False
> 455
> 456 if __name__ == '__main__':
> 457 main()
> main = <function main>
>
> ${HOME}/bzr/apparmor-master/utils/aa-mergeprof in main()
> 121 continue
> 122
> 123 act([user_file, other_file, None], 2, profile_name)
> 124 else:
> 125 if other_file == None:
> 126 act([user_file, base_file, None], 2, profile_name)
> 127 else:
> 128 act([user_file, base_file, other_file], 3, profile_name)
> 129
> 130 reset_aa()
> global act = <function act>
> user_file = '${HOME}/tmp/aa-mergeprof-regression/usr.lib.postfix.smtpd'
> base_file = '${HOME}/tmp/usr.lib.postfix.smtpd'
> profile_name = '/usr/lib/postfix/smtpd'
>
> ${HOME}/bzr/apparmor-master/utils/aa-mergeprof in act(files=['${HOME}/tmp/aa-mergeprof-regression/usr.lib.postfix.smtpd', '${HOME}/tmp/usr.lib.postfix.smtpd', None], merge_mode=2, merging_profile='/usr/lib/postfix/smtpd')
> 139 if merge_mode == 3:
> 140 mergeprofiles.ask_the_questions('other', merging_profile)
> 141
> 142 mergeprofiles.clear_common()
> 143
> 144 mergeprofiles.ask_the_questions('base', merging_profile)
> 145
> 146 q = aaui.PromptQuestion()
> 147 q.title = _('Changed Local Profiles')
> 148 q.explanation = _('The following local profiles were changed. Would you like to save them?')
> mergeprofiles = <__main__.Merge object>
> mergeprofiles.ask_the_questions = <bound method Merge.ask_the_questions of <__main__.Merge object>>
> merging_profile = '/usr/lib/postfix/smtpd'
>
> ${HOME}/bzr/apparmor-master/utils/aa-mergeprof in ask_the_questions(self=<__main__.Merge object>, other=<apparmor.cleanprofile.Prof object>, profile='/usr/lib/postfix/smtpd')
> 326
> 327 for ruletype in apparmor.aa.ruletypes:
> 328 if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization
> 329 for rule_obj in other.aa[profile][hat][ruletype].rules:
> 330
> 331 if is_known_rule(aa[profile][hat], ruletype, rule_obj):
> 332 continue
> 333
> 334 default_option = 1
> 335 options = []
> global is_known_rule = <function is_known_rule>
> aa = defaultdict(<function hasher at 0x7efff9045268>,...mergeprof-regression/usr.lib.postfix.smtpd'})})})
> profile = '/usr/lib/postfix/smtpd'
> hat = '/usr/lib/postfix/smtpd'
> ruletype = 'file'
> rule_obj = <FileRule> /usr/lib/postfix/smtpd rmix,
>
> ${HOME}/bzr/apparmor-master/utils/apparmor/aa.py in is_known_rule(profile=defaultdict(<function hasher at 0x7efff9045268>,.../aa-mergeprof-regression/usr.lib.postfix.smtpd'}), rule_type='file', rule_obj=<FileRule> /usr/lib/postfix/smtpd rmix,)
> 3493 checked.append(incname)
> 3494
> 3495 if os.path.isdir(profile_dir + '/' + incname):
> 3496 includelist += include_dir_filelist(profile_dir, incname)
> 3497 else:
> 3498 if include[incname][incname].get(rule_type, False):
> 3499 if include[incname][incname][rule_type].is_covered(rule_obj, False):
> 3500 return True
> 3501
> 3502 for childinc in include[incname][incname]['include'].keys():
> global include = {'abstractions/ssl_certs': defaultdict(<function hasher at 0x7efff9045268>,...nclude'}, 'rlimit': <RlimitRuleset (empty) />})}), 'abstractions/ssl_keys': defaultdict(<function hasher at 0x7efff9045268>,...nclude'}, 'rlimit': <RlimitRuleset (empty) />})}), 'tunables/alias': defaultdict(<function hasher at 0x7efff9045268>,...ables/alias', 'dbus': <DbusRuleset (empty) />})}), 'tunables/global': defaultdict(<function hasher at 0x7efff9045268>,...mpty) />, 'rlimit': <RlimitRuleset (empty) />})}), 'tunables/home': defaultdict(<function hasher at 0x7efff9045268>,...e/'}, '@{HOME}': {'@{HOMEDIRS}/*/', '/root/'}})}), 'tunables/home.d/site.local': defaultdict(<function hasher at 0x7efff9045268>,.../site.local', 'dbus': <DbusRuleset (empty) />})}), 'tunables/kernelvars': defaultdict(<function hasher at 0x7efff9045268>,..., '@{tid}': {'@{pid}'}, '@{pids}': {'@{pid}'}})}), 'tunables/multiarch': defaultdict(<function hasher at 0x7efff9045268>,...ff9045268>, {'@{multiarch}': {'*-linux-gnu*'}})}), 'tunables/multiarch.d/site.local': defaultdict(<function hasher at 0x7efff9045268>,.../site.local', 'dbus': <DbusRuleset (empty) />})}), 'tunables/proc': defaultdict(<function hasher at 0x7efff9045268>,...er at 0x7efff9045268>, {'@{PROC}': {'/proc/'}})}), ...}
> incname = 'abstractions/openssl'
> ].get undefined
> rule_type = 'file'
> KeyError: 'abstractions/openssl'
> __cause__ = None
> __class__ = <class 'KeyError'>
> __context__ = None
> __delattr__ = <method-wrapper '__delattr__' of KeyError object>
> __dict__ = {}
> __dir__ = <built-in method __dir__ of KeyError object>
> __doc__ = 'Mapping key not found.'
> __eq__ = <method-wrapper '__eq__' of KeyError object>
> __format__ = <built-in method __format__ of KeyError object>
> __ge__ = <method-wrapper '__ge__' of KeyError object>
> __getattribute__ = <method-wrapper '__getattribute__' of KeyError object>
> __gt__ = <method-wrapper '__gt__' of KeyError object>
> __hash__ = <method-wrapper '__hash__' of KeyError object>
> __init__ = <method-wrapper '__init__' of KeyError object>
> __le__ = <method-wrapper '__le__' of KeyError object>
> __lt__ = <method-wrapper '__lt__' of KeyError object>
> __ne__ = <method-wrapper '__ne__' of KeyError object>
> __new__ = <built-in method __new__ of type object>
> __reduce__ = <built-in method __reduce__ of KeyError object>
> __reduce_ex__ = <built-in method __reduce_ex__ of KeyError object>
> __repr__ = <method-wrapper '__repr__' of KeyError object>
> __setattr__ = <method-wrapper '__setattr__' of KeyError object>
> __setstate__ = <built-in method __setstate__ of KeyError object>
> __sizeof__ = <built-in method __sizeof__ of KeyError object>
> __str__ = <method-wrapper '__str__' of KeyError object>
> __subclasshook__ = <built-in method __subclasshook__ of type object>
> __suppress_context__ = False
> __traceback__ = <traceback object>
> args = ('abstractions/openssl',)
> with_traceback = <built-in method with_traceback of KeyError object>
>
> The above is a description of an error in a Python program. Here is
> the original traceback:
>
> Traceback (most recent call last):
> File "./aa-mergeprof", line 457, in <module>
> main()
> File "./aa-mergeprof", line 126, in main
> act([user_file, base_file, None], 2, profile_name)
> File "./aa-mergeprof", line 144, in act
> mergeprofiles.ask_the_questions('base', merging_profile)
> File "./aa-mergeprof", line 331, in ask_the_questions
> if is_known_rule(aa[profile][hat], ruletype, rule_obj):
> File "${HOME}/bzr/apparmor-master/utils/apparmor/aa.py", line 3498, in is_known_rule
> if include[incname][incname].get(rule_type, False):
> KeyError: 'abstractions/openssl'
>
>
> Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
> and attach this file.
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160926/ba609442/attachment.pgp>
More information about the AppArmor
mailing list