<div dir="ltr">Hello,<br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 7, 2015 at 7:27 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
profile_storage() returns an empty, properly initialized profile.<br>
It doesn't explicitely init all keys (yet) and will be extended over<br></blockquote><div>nitpick: I think (and google agrees) its "explicitly" without the _e_ ;-)<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
time, with the final goal to get rid of hasher().<br>
<br>
Also change various places in aa.py to use it (instead of an empty<br>
hasher or sub-hasher), and remove various "init rule class (if not done<br>
yet)" cases.<br>
<br>
This also avoids a crash in aa-cleanprof remove_duplicate_rules().<br>
Hats weren't properly initialized in aa.py parse_profile_data()<br>
(especially rule classes were missing), which caused a crash because<br>
hasher doesn't support the delete_duplicates() method.<br>
<br>
<br>
<br>
[ 48-add-profile_storage.diff ]<br>
<br></blockquote><div>Thanks for the patch. Looks fine to me.<br><br>Acked-by: Kshitij Gupta <<a href="mailto:kgupta8592@gmail.com" target="_blank">kgupta8592@gmail.com</a>>.    <br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
=== modified file utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py        2015-06-07 14:49:41.432239728 +0200<br>
+++ utils/apparmor/aa.py        2015-06-07 15:50:58.057162382 +0200<br>
@@ -104,12 +104,6 @@<br>
 t = hasher()  # dict()<br>
 transitions = hasher()<br>
<br>
-# keys used in aa[profile][hat]:<br>
-# a) rules (as dict): alias, include, lvar<br>
-# b) rules (as hasher): allow, deny<br>
-# c) one for each rule class<br>
-# d) other: external, flags, name, profile, attachment, initial_comment,<br>
-#           profile_keyword, header_comment (these two are currently only set by set_profile_flags())<br>
 aa = hasher()  # Profiles originally in sd, replace by aa<br>
 original_aa = hasher()<br>
 extras = hasher()  # Inactive profiles from extras<br>
@@ -408,8 +402,35 @@<br>
         return {local_profile: extras[local_profile]}<br>
     return dict()<br>
<br>
+def profile_storage():<br>
+    # keys used in aa[profile][hat]:<br>
+    # a) rules (as dict): alias, include, lvar<br>
+    # b) rules (as hasher): allow, deny<br>
+    # c) one for each rule class<br>
+    # d) other: external, flags, name, profile, attachment, initial_comment,<br>
+    #           profile_keyword, header_comment (these two are currently only set by set_profile_flags())<br>
+<br>
+    # Note that this function doesn't explicitely init all those keys (yet).<br>
+    # It will be extended over time, with the final goal to get rid of hasher().<br>
+<br>
+    profile = hasher()<br>
+<br>
+    profile['capability']       = CapabilityRuleset()<br>
+    profile['change_profile']   = ChangeProfileRuleset()<br>
+    profile['network']          = NetworkRuleset()<br>
+    profile['rlimit']           = RlimitRuleset()<br>
+<br>
+    profile['allow']['path'] = hasher()<br>
+    profile['allow']['dbus'] = list()<br>
+    profile['allow']['mount'] = list()<br>
+    profile['allow']['signal'] = list()<br>
+    profile['allow']['ptrace'] = list()<br>
+    profile['allow']['pivot_root'] = list()<br>
+<br>
+    return profile<br>
+<br>
 def create_new_profile(localfile, is_stub=False):<br>
-    local_profile = hasher()<br>
+    local_profile = profile_storage()<br>
     local_profile[localfile]['flags'] = 'complain'<br>
     local_profile[localfile]['include']['abstractions/base'] = 1<br>
<br>
@@ -1442,6 +1463,7 @@<br>
                                 ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')<br>
                             if ynans == 'y':<br>
                                 hat = exec_target<br>
+                                # XXX do we need to init the profile here?<br>
                                 aa[profile][hat]['profile'] = True<br>
<br>
                                 if profile != hat:<br>
@@ -1566,16 +1588,12 @@<br>
                 hats = [profile] + hats<br>
<br>
             for hat in hats:<br>
-                if not log_obj[profile][hat].get('capability', False):<br>
-                    log_obj[profile][hat]['capability'] = CapabilityRuleset()<br>
+                log_obj[profile][hat] = profile_storage()<br>
<br>
                 for capability in sorted(log_dict[aamode][profile][hat]['capability'].keys()):<br>
                     capability_obj = CapabilityRule(capability, log_event=aamode)<br>
                     log_obj[profile][hat]['capability'].add(capability_obj)<br>
<br>
-                if not log_obj[profile][hat].get('network', False):<br>
-                    log_obj[profile][hat]['network'] = NetworkRuleset()<br>
-<br>
                 for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):<br>
                     for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):<br>
                         network_obj = NetworkRule(family, sock_type, log_event=aamode)<br>
@@ -2562,6 +2580,8 @@<br>
     if do_include:<br>
         profile = file<br>
         hat = file<br>
+        profile_data[profile][hat] = profile_storage()<br>
+<br>
     for lineno, line in enumerate(data):<br>
         line = line.strip()<br>
         if not line:<br>
@@ -2578,6 +2598,8 @@<br>
                 raise AppArmorException('Profile %(profile)s defined twice in %(file)s, last found in line %(line)s' %<br>
                     { 'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat) })<br>
<br>
+            profile_data[profile][hat] = profile_storage()<br>
+<br>
             if attachment:<br>
                 profile_data[profile][hat]['attachment'] = attachment<br>
             if pps_set_profile:<br>
@@ -2595,15 +2617,6 @@<br>
<br>
             profile_data[profile][hat]['flags'] = flags<br>
<br>
-            profile_data[profile][hat]['network'] = NetworkRuleset()<br>
-            profile_data[profile][hat]['change_profile'] = ChangeProfileRuleset()<br>
-            profile_data[profile][hat]['rlimit'] = RlimitRuleset()<br>
-            profile_data[profile][hat]['allow']['path'] = hasher()<br>
-            profile_data[profile][hat]['allow']['dbus'] = list()<br>
-            profile_data[profile][hat]['allow']['mount'] = list()<br>
-            profile_data[profile][hat]['allow']['signal'] = list()<br>
-            profile_data[profile][hat]['allow']['ptrace'] = list()<br>
-            profile_data[profile][hat]['allow']['pivot_root'] = list()<br>
             # Save the initial comment<br>
             if initial_comment:<br>
                 profile_data[profile][hat]['initial_comment'] = initial_comment<br>
@@ -2614,10 +2627,6 @@<br>
                 profile_data[profile][profile]['repo']['url'] = repo_data['url']<br>
                 profile_data[profile][profile]['repo']['user'] = repo_data['user']<br>
<br>
-            # init rule classes (if not done yet)<br>
-            if not profile_data[profile][hat].get('capability', False):<br>
-                profile_data[profile][hat]['capability'] = CapabilityRuleset()<br>
-<br>
         elif RE_PROFILE_END.search(line):<br>
             # If profile ends and we're not in one<br>
             if not profile:<br>
@@ -2636,10 +2645,6 @@<br>
             if not profile:<br>
                 raise AppArmorException(_('Syntax Error: Unexpected capability entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })<br>
<br>
-            # init rule class (if not done yet)<br>
-            if not profile_data[profile][hat].get('capability', False):<br>
-                profile_data[profile][hat]['capability'] = CapabilityRuleset()<br>
-<br>
             profile_data[profile][hat]['capability'].add(CapabilityRule.parse(line))<br>
<br>
         elif RE_PROFILE_LINK.search(line):<br>
@@ -2693,10 +2698,6 @@<br>
             if not profile:<br>
                 raise AppArmorException(_('Syntax Error: Unexpected rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })<br>
<br>
-            # init rule class (if not done yet)<br>
-            if not profile_data[profile][hat].get('rlimit', False):<br>
-                profile_data[profile][hat]['rlimit'] = RlimitRuleset()<br>
-<br>
             profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line))<br>
<br>
         elif RE_PROFILE_BOOLEAN.search(line):<br>
@@ -3003,11 +3004,15 @@<br>
             in_contained_hat = True<br>
             hat = matches.group('hat')<br>
             hat = strip_quotes(hat)<br>
+<br>
+            # if hat is already known, the filelist check some lines below will error out.<br>
+            # nevertheless, just to be sure, don't overwrite existing profile_data.<br>
+            if not profile_data[profile].get(hat, False):<br>
+                profile_data[profile][hat] = profile_storage()<br>
+<br>
             flags = matches.group('flags')<br>
<br>
             profile_data[profile][hat]['flags'] = flags<br>
-            #profile_data[profile][hat]['allow']['path'] = hasher()<br>
-            #profile_data[profile][hat]['allow']['netdomain'] = hasher()<br>
<br>
             if initial_comment:<br>
                 profile_data[profile][hat]['initial_comment'] = initial_comment<br>
<br>
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
> I see no "do" in your script, so this will give you a "syntax error<br>
> near unexpected token `done'" after shutdown ;-))<br>
I've been hearing funny noises after shutdown, that must be it :-)<br>
[> Christian Boltz and Chris Maaskant in opensuse]<br>
<br>
<br>
--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div>