[apparmor] [PATCH] utils: Do not attempt to add same profile file again

Christian Boltz apparmor at cboltz.de
Tue Nov 28 20:59:41 UTC 2017 

Hello,

Am Dienstag, 28. November 2017, 19:04:03 CET schrieb Goldwyn Rodrigues:
> From: Goldwyn Rodrigues <rgoldwyn at suse.com>
> 
> If the profile in profles and profile_data are the same, then don't
> attempt to attach.
> 
> 1. mkdir /tmp/apparmor.d/
>    cp -r /etc/apparmor.d/abstractions /tmp/apparmor.d/
>    cp -r /etc/apparmor.d/tunables /tmp/apparmor.d/
> 
> 2. Generate basic profiles for the all executable files in one dir:
>     aa-autodep -d /tmp/apparmor.d/ /usr/sbin/*

Nice[tm].

# aa-autodep -d /tmp/apparmor.d/ /usr/sbin/*
Writing updated profile for /usr/sbin/a2enflag.

ERROR: Conflicting profiles for netstat defined in two files:
- /usr/share/apparmor/extra-profiles/bin.netstat
- /usr/share/apparmor/extra-profiles/bin.netstat


So one profile gets written successfully, and things explode on the 
second binary. Looks like the inactive profiles get loaded more than 
once :-(

While your patch will "solve" that, I don't really like it because it 
covers the underlaying bug, which is...

def autodep(bin_name, pname=''):
# ...
    read_inactive_profiles()
# ...

so autodep() calls read_inactive_profiles() each time it's called (= for 
each binary).


The better fix is to make sure read_inactive_profiles doesn't do 
anything if it ran before. (Calling it only once would be even better, 
but since we have several autodep() calls, it would be much harder to 
implement.)

I don't really like the idea to introduce a global variable 
("read_inactive_already_done"), therefore I searched for ways to avoid 
them and found out that functions can have attributes. Simple example:

def foo():
    if hasattr(foo, 'done'):
        print('done')
        return
    
    foo.done = True
    print('not done')

foo()
foo()
foo()

This will print (tested with py2 and py3):

not done
done
done

Source: https://stackoverflow.com/questions/279561/what-is-the-python-equivalent-of-static-variables-inside-a-function
(if someone thinks TMTOWTDI only applies to perl, read this ;-)

That all said - the patch I propose is
https://gitlab.com/apparmor/apparmor/merge_requests/17


Regards,

Christian Boltz
-- 
[suse-talk] > Allerdings sollte er mit unserer Art Humor zurechtkommen.
Wie jetzt?
Humor?
....Ich war schon immer so...
[> Helga Fischer und Thilo Alfred Bätzig in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171128/2279d4e9/attachment.sig>

More information about the AppArmor mailing list