On Sun, Aug 14, 2016 at 09:28:18PM +0200, Christian Boltz wrote:
> the switch to FileRule made some bugs visible that survived unnoticed
> with hasher for years.
>
> If aa-logprof sees an exec event for a non-existing profile _and_ a
> profile file matching the expected profile filename exists in
> /etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
> being silent). In the old code, this created a superfluous entry
> somewhere in the aa hasher, and caused the existing profile to be
> rewritten (without changes).
>
> However, with FileRule it causes a crash saying
>
> File ".../utils/apparmor/aa.py", line 1335, in handle_children
> aa[profile][hat]['file'].add(FileRule(exec_target, file_perm,
> exec_mode, rule_to_name, owner=False, log_event=True))
> AttributeError: 'collections.defaultdict' object has no attribute 'add'
>
> This patch makes sure exec events for unknown profiles get ignored.
>
>
>
> Reproducer:
>
> python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215):
> apparmor="ALLOWED" operation="exec" profile="/sbin/klogd"
> name="/does/not/exist" pid=11832 comm="foo" requested_mask="x"
> denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
>
> This causes a crash without this patch because
> /etc/apparmor.d/sbin.klogd exists, but has
> profile klogd /{usr/,}sbin/klogd {
>
>
>
> Even if it's unlikely that users hit this bug in the wild, I also
> propose this patch for 2.10 and 2.9.Acked-by: Steve Beattie <[email protected]> for all three. Thanks. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
