Re: [apparmor] [patch] fix severity.py / handle_variable_rank for filenames containing @

Steve Beattie Fri, 10 Oct 2014 13:49:07 -0700

Hey Christian,

On Fri, Oct 10, 2014 at 09:21:34PM +0200, Christian Boltz wrote:
> if a filename mentioned in audit.log contains an @, aa-logprof crashes 
> with
> 
> # cat audit.log-not-a-variable
> type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" 
> profile="/sbin/klogd" name="/does/not/exist@disk" pid=11832 comm="foo" 
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 
> target="/sbin/klogd//null-1"
> 
> # aa-logprof -f audit.log-not-a-variable    
> Reading log entries from audit.log-variable.
> Aktualisiere AppArmor-Profile in /etc/apparmor.d.
> Traceback (most recent call last):
>   File "aa-logprof", line 52, in <module>
>     apparmor.do_logprof_pass(logmark)
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2267, in 
> do_logprof_pass
>     handle_children('', '', root)
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 1245, in 
> handle_children
>     severity = sev_db.rank(exec_target, 'x')
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 134, 
> in rank
>     return self.handle_variable_rank(resource, mode)
>   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, 
> in handle_variable_rank
>     variable = regex_variable.search(resource).groups()[0]
> AttributeError: 'NoneType' object has no attribute 'groups'
> 
> 
> handle_variable_rank() checked with   if '@' in resource:
> and if it finds it, expects it can match a variable, which means   @{.....}
> If a filename contains a   @   this fails.


Ugh.

> The patch fixes the if condition so that it does a regex match.
> 
> === modified file 'utils/apparmor/severity.py'
> --- utils/apparmor/severity.py  2014-02-13 18:01:03 +0000
> +++ utils/apparmor/severity.py  2014-10-10 19:13:53 +0000
> @@ -143,7 +143,7 @@
>          """Returns the max possible rank for file resources containing 
> variables"""
>          regex_variable = re.compile('@{([^{.]*)}')
>          rank = None
> -        if '@' in resource:
> +        if regex_variable.search(resource):
>              variable = regex_variable.search(resource).groups()[0]
>              variable = '@{%s}' % variable
>              #variables = regex_variable.findall(resource)

Can you cache the result of doing the regex_variable.search() call,
rather than doing it twice?

Also, some unit tests that exercise this method,
handle_variable_rank(), of the Severity class would be nice.

-- 
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] fix severity.py / handle_variable_rank for filenames containing @

Reply via email to