<div dir="ltr">Hello, <div><div class="gmail_extra"> <div class="gmail_quote">On Sun, Jun 7, 2015 at 5:55 PM, Christian Boltz <<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello, Hat declarations ("^hat,") were added in 2.3 for declaring external hats, but in the meantime aren't supported by the parser anymore (tested with 2.9.2 parser). Additionally, if a profile contains both a hat declaration and the hat ("^hat { ...}"), the hat declaration can overwrite the content of the hat on a "last one wins" base. This is caused by setting 'declared' to True, which means write_piece() will only write the "^hat," line, but not the "^hat { ... }" block. Therefore no longer set 'declared' to True, print a warning that hat declarations are no longer supported, and ignore the rule. This also means that running aa-cleanprof can make the profile valid again :-) Also no longer change 'hat' when hitting a profile declaration, which also looks wrong. Note: This change removes the only usage of 'declared'. A follow-up patch (trunk only) will completely remove the 'declared' handling. Reproducer profile (run aa-cleanprof on it): (will crash in remove_duplicate_rules() 80% of the time - if so, try multiple times. One of the next patches will fix that. Or just try 2.9, which doesn't have the crash in remove_duplicate_rules().) /usr/bin/true { ^FOO { capability setgid, } # deletes the content of ^FOO when saving the profile! (last one wins) # additionally, the parser says this is invalid syntax ^FOO, } See also the "Hat declarations" thread on the ML, <a href="https://lists.ubuntu.com/archives/apparmor/2015-June/008107.html" rel="noreferrer" target="_blank">https://lists.ubuntu.com/archives/apparmor/2015-June/008107.html</a> I propose this patch for trunk and 2.9. [ 46-obsolete-change-hat.diff ] === modified file utils/apparmor/aa.py --- utils/apparmor/aa.py 2015-06-06 14:54:10.584133536 +0200 +++ utils/apparmor/aa.py 2015-06-07 13:06:52.764908018 +0200 @@ -2992,11 +2992,8 @@ if not profile: raise AppArmorException(_('Syntax Error: Unexpected change hat declaration found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 }) - hat = matches[0] - hat = strip_quotes(hat) - - if not profile_data[profile][hat].get('declared', False): - profile_data[profile][hat]['declared'] = True + aaui.UI_Important(_('Ignoring no longer supported change hat declaration "^%(hat)s," found in file: %(file)s line: %(line)s') % { + 'hat': matches[0], 'file': file, 'line': lineno + 1 }) elif RE_PROFILE_HAT_DEF.search(line): # An embedded hat syntax definition starts </blockquote><div>On the long term could we entirely do away with this regex and code block? Thanks for the patch. Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>. </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Regards, Christian Boltz -- > Leider Gottes ist es so, daß wenn man einen Spammer zu Strecke > gebracht hat, dafür drei neue auftauchen. Das ist wie bei den Fliegen. Schlägst Du eine Tot, kommen 40 zur Beerdigung. ;) [> Martin Mewes und Michael Raab in suse-linux] -- AppArmor mailing list <a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a> </blockquote></div> </div></div></div>