On Thu, Jun 18, 2015 at 9:07 PM, Kshitij Gupta <[email protected]> wrote:
> Hello, > > On Sun, Jun 7, 2015 at 5:55 PM, Christian Boltz <[email protected]> > wrote: > >> Hello, >> >> Hat declarations ("^hat,") were added in 2.3 for declaring external >> hats, but in the meantime aren't supported by the parser anymore (tested >> with 2.9.2 parser). >> >> Additionally, if a profile contains both a hat declaration and the hat >> ("^hat { ...}"), the hat declaration can overwrite the content of the >> hat on a "last one wins" base. >> >> This is caused by setting 'declared' to True, which means write_piece() >> will only write the "^hat," line, but not the "^hat { ... }" block. >> >> Therefore no longer set 'declared' to True, print a warning that hat >> declarations are no longer supported, and ignore the rule. This also >> means that running aa-cleanprof can make the profile valid again :-) >> >> Also no longer change 'hat' when hitting a profile declaration, which >> also looks wrong. >> >> >> Note: This change removes the only usage of 'declared'. A follow-up >> patch (trunk only) will completely remove the 'declared' handling. >> >> >> Reproducer profile (run aa-cleanprof on it): >> (will crash in remove_duplicate_rules() 80% of the time - if so, try >> multiple times. One of the next patches will fix that. Or just try 2.9, >> which doesn't have the crash in remove_duplicate_rules().) >> >> /usr/bin/true { >> >> ^FOO { >> capability setgid, >> } >> >> # deletes the content of ^FOO when saving the profile! (last one wins) >> # additionally, the parser says this is invalid syntax >> ^FOO, >> >> } >> >> >> See also the "Hat declarations" thread on the ML, >> https://lists.ubuntu.com/archives/apparmor/2015-June/008107.html >> >> >> I propose this patch for trunk and 2.9. >> >> >> [ 46-obsolete-change-hat.diff ] >> >> === modified file utils/apparmor/aa.py >> --- utils/apparmor/aa.py 2015-06-06 14:54:10.584133536 +0200 >> +++ utils/apparmor/aa.py 2015-06-07 13:06:52.764908018 +0200 >> @@ -2992,11 +2992,8 @@ >> if not profile: >> raise AppArmorException(_('Syntax Error: Unexpected >> change hat declaration found in file: %(file)s line: %(line)s') % { 'file': >> file, 'line': lineno + 1 }) >> >> - hat = matches[0] >> - hat = strip_quotes(hat) >> - >> - if not profile_data[profile][hat].get('declared', False): >> - profile_data[profile][hat]['declared'] = True >> + aaui.UI_Important(_('Ignoring no longer supported change hat >> declaration "^%(hat)s," found in file: %(file)s line: %(line)s') % { >> + 'hat': matches[0], 'file': file, 'line': lineno + 1 >> }) >> >> elif RE_PROFILE_HAT_DEF.search(line): >> # An embedded hat syntax definition starts >> >> On the long term could we entirely do away with this regex and code block? > > Thanks for the patch. > > Acked-by: Kshitij Gupta <[email protected]>. > > for both 2.9 and trunk. > > >> >> Regards, >> >> Christian Boltz >> -- >> > Leider Gottes ist es so, daß wenn man einen Spammer zu Strecke >> > gebracht hat, dafür drei neue auftauchen. >> Das ist wie bei den Fliegen. Schlägst Du eine Tot, kommen 40 zur >> Beerdigung. ;) [> Martin Mewes und Michael Raab in suse-linux] >> >> >> -- >> AppArmor mailing list >> [email protected] >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/apparmor >> > >
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
