<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Dec 26, 2015 at 9:07 PM, Christian Boltz <span dir="ltr"><<a href="mailto:apparmor@cboltz.de" target="_blank">apparmor@cboltz.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
write_prof_data[hat] is correct (it only contains one profile, see also<br>
bug 1528139), write_prof_data[profile][hat] is not and returns an empty<br>
(sub)hasher.<br>
<br></blockquote><div>Hmm...<br><br>Reading the comments near the initialisation of write_prof_data:<br># XXX this will explode if a file contains multiple profiles, see <a href="https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139">https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139</a><br># XXX fixing this needs lots of write_prof_data[hat] -> write_prof_data[profile][hat] changes (and of course also a change in the calling code)<br><br></div><div>So, basically a part of the logic below is correct in that it accessed the hat from the profile, which will again need to be added once write_prof_data supports multiple profiles I'm guessing?<br><br></div><div>Why not copy write_prof_data[hat] to write_prof_data[profile][hat] for the time-being?<br></div><div>That might seem hack-ish though.<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
This affects RE_PROFILE_START and RE_PROFILE_BARE_FILE_ENTRY.<br>
<br>
<br>
I propose this patch for trunk, 2.10 and 2.9.<br>
<br>
<br>
[ 46-serialize_profile_from_old_profile-fix-wrong-access-to-write_prof_data.diff ]<br>
<br>
=== modified file ./utils/apparmor/aa.py<br>
--- utils/apparmor/aa.py 2015-12-06 19:36:00.818745321 +0100<br>
+++ utils/apparmor/aa.py 2015-12-08 18:59:09.625261162 +0100<br>
@@ -3718,7 +3718,7 @@<br>
if RE_PROFILE_START.search(line):<br>
<br>
(profile, hat, attachment, flags, in_contained_hat, correct) = serialize_parse_profile_start(<br>
- line, prof_filename, None, profile, hat, write_prof_data[profile][hat]['profile'], write_prof_data[profile][hat]['external'], correct)<br>
+ line, prof_filename, None, profile, hat, write_prof_data[hat]['profile'], write_prof_data[hat]['external'], correct)<br>
<br>
if not write_prof_data[hat]['name'] == profile:<br>
correct = False<br>
@@ -3954,7 +3954,7 @@<br>
if matches[0]:<br>
audit = mode<br>
<br>
- path_rule = write_prof_data[profile][hat][allow]['path'][ALL]<br>
+ path_rule = write_prof_data[hat][allow]['path'][ALL]<br>
if path_rule.get('mode', set()) & mode and \<br>
(not audit or path_rule.get('audit', set()) & audit) and \<br>
path_rule.get('file_prefix', set()):<br>
<br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Regards,<br>
<br>
Christian Boltz<br>
<span class=""><font color="#888888">--<br>
programmers' biggest strength is that they're lazy bastards.<br></font></span></blockquote><div>lol I should frame it and put a sign that says: "Please read it before talking to me", but then "too lazy to do that"<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=""><font color="#888888">
[Claudio Freire in opensuse-factory]<br>
</font></span><br>--<br>
AppArmor mailing list<br>
<a href="mailto:AppArmor@lists.ubuntu.com">AppArmor@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/apparmor" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/apparmor</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Regards,<br><br></div>Kshitij Gupta<br></div></div>
</div></div>