Re: [apparmor] [patch] Initialize child profile in handle_children()

Steve Beattie Mon, 13 Jul 2015 16:26:50 -0700

On Mon, Jul 13, 2015 at 04:13:46PM -0700, Seth Arnold wrote:
> On Sun, Jul 12, 2015 at 06:51:49PM +0200, Christian Boltz wrote:
> > [ 74-handle_children-fix-child-init.diff ]
> > 
> > diff -ru '--exclude=.bzr' ../HEAD-patches-applied/utils/apparmor/aa.py 
> > ./utils/apparmor/aa.py
> > --- utils/apparmor/aa.py        2015-07-12 17:54:34.369098430 +0200
> > +++ ./utils/apparmor/aa.py      2015-07-12 18:31:41.372523682 +0200
> > @@ -1464,7 +1464,8 @@
> >                                  ynans = aaui.UI_YesNo(_('A profile for %s 
> > does not exist.\nDo you want to create one?') % exec_target, 'n')
> >                              if ynans == 'y':
> >                                  hat = exec_target
> > -                                # XXX do we need to init the profile here?
> > +                                if not aa[profile].get(hat, False):
> > +                                    aa[profile][hat] = profile_storage()
> >                                  aa[profile][hat]['profile'] = True
> >  
> >                                  if profile != hat:
> 
> The part above makes sense.
> 
> > @@ -1474,10 +1475,12 @@
> >  
> >                                  aa[profile][hat]['flags'] = 'complain'
> >  
> > +                                # XXX ... = hasher() probably superfluous, 
> > and stub_profile probably overwrites existing child profile
> >                                  aa[profile][hat]['allow']['path'] = 
> > hasher()
> >                                  if 
> > stub_profile[hat][hat]['allow'].get('path', False):
> >                                      aa[profile][hat]['allow']['path'] = 
> > stub_profile[hat][hat]['allow']['path']
> >  
> > +                                # XXX ... = hasher() probably superfluous, 
> > and stub_profile probably overwrites existing child profile
> >                                  aa[profile][hat]['include'] = hasher()
> >                                  if stub_profile[hat][hat].get('include', 
> > False):
> >                                      aa[profile][hat]['include'] = 
> > stub_profile[hat][hat]['include']
> > 
> 
> But this part doesn't; I'd rather see the bad lines deleted. Either it
> overwrites something that was already there (and was important), or it
> is useless. Right?


Agreed. Or at the very least they need to be protected by a
similar get() call as the 'allow/path' and 'include' fields are for
stub_profile.

That said, I haven't investigated code branches to exercise this path.

-- 
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] Initialize child profile in handle_children()

Reply via email to