[apparmor] [patch] Initialize child profile in handle_children()

Sun, 12 Jul 2015 09:52:24 -0700 

Hello,

*** important patch for 2.10 ***

TL;DR: the answer is "yes" ;-)
(see the patch for the question...)

Long version:
When creating a new child profile with aa-logprof or aa-genprof, the
child profile wasn't properly initialized in handle_children(), which
lead to a crash in delete_duplicates() later because capability etc.
was not set to a CapabilityRuleset etc. class and therefore
profile['capability'] didn't have a .delete_duplicates() method.

Funnily there was already a comment "do we need to init the profile here?" 

This patch replaces the question in the comment with the answer.

Also add some TODO notes for cases where rules of an existing child
profile could be overwritten. I didn't test those cases, but the code
looks like it's doing that.




[ 74-handle_children-fix-child-init.diff ]

diff -ru '--exclude=.bzr' ../HEAD-patches-applied/utils/apparmor/aa.py 
./utils/apparmor/aa.py
--- utils/apparmor/aa.py        2015-07-12 17:54:34.369098430 +0200
+++ ./utils/apparmor/aa.py      2015-07-12 18:31:41.372523682 +0200
@@ -1464,7 +1464,8 @@
                                 ynans = aaui.UI_YesNo(_('A profile for %s does 
not exist.\nDo you want to create one?') % exec_target, 'n')
                             if ynans == 'y':
                                 hat = exec_target
-                                # XXX do we need to init the profile here?
+                                if not aa[profile].get(hat, False):
+                                    aa[profile][hat] = profile_storage()
                                 aa[profile][hat]['profile'] = True
 
                                 if profile != hat:
@@ -1474,10 +1475,12 @@
 
                                 aa[profile][hat]['flags'] = 'complain'
 
+                                # XXX ... = hasher() probably superfluous, and 
stub_profile probably overwrites existing child profile
                                 aa[profile][hat]['allow']['path'] = hasher()
                                 if stub_profile[hat][hat]['allow'].get('path', 
False):
                                     aa[profile][hat]['allow']['path'] = 
stub_profile[hat][hat]['allow']['path']
 
+                                # XXX ... = hasher() probably superfluous, and 
stub_profile probably overwrites existing child profile
                                 aa[profile][hat]['include'] = hasher()
                                 if stub_profile[hat][hat].get('include', 
False):
                                     aa[profile][hat]['include'] = 
stub_profile[hat][hat]['include']




Regards,

Christian Boltz
-- 
Sich aktiv an Wikipedia beteiligen habe ich versucht.
Es war grausam. Dagegen ist das Heise-Forum ein Streichelzoo.
[Charly Kuehnast zu http://vvv.koehntopp.de/wpkris/?p=739032]


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to