[apparmor] [patch] fix severity.py / handle_variable_rank for filenames containing @

Christian Boltz apparmor at cboltz.de
Fri Oct 10 19:21:34 UTC 2014 

Hello

if a filename mentioned in audit.log contains an @, aa-logprof crashes 
with

# cat audit.log-not-a-variable
type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist at disk" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"

# aa-logprof -f audit.log-not-a-variable    
Reading log entries from audit.log-variable.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Traceback (most recent call last):
  File "aa-logprof", line 52, in <module>
    apparmor.do_logprof_pass(logmark)
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 2267, in do_logprof_pass
    handle_children('', '', root)
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 1245, in handle_children
    severity = sev_db.rank(exec_target, 'x')
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 134, in rank
    return self.handle_variable_rank(resource, mode)
  File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, in handle_variable_rank
    variable = regex_variable.search(resource).groups()[0]
AttributeError: 'NoneType' object has no attribute 'groups'


handle_variable_rank() checked with   if '@' in resource:
and if it finds it, expects it can match a variable, which means   @{.....}
If a filename contains a   @   this fails.

The patch fixes the if condition so that it does a regex match.

=== modified file 'utils/apparmor/severity.py'
--- utils/apparmor/severity.py  2014-02-13 18:01:03 +0000
+++ utils/apparmor/severity.py  2014-10-10 19:13:53 +0000
@@ -143,7 +143,7 @@
         """Returns the max possible rank for file resources containing variables"""
         regex_variable = re.compile('@{([^{.]*)}')
         rank = None
-        if '@' in resource:
+        if regex_variable.search(resource):
             variable = regex_variable.search(resource).groups()[0]
             variable = '@{%s}' % variable
             #variables = regex_variable.findall(resource)



Regards,

Christian Boltz
-- 
Ich hatte hatte wohl in einem *spät-nach-mitternächtlichen*
Sicherheitswahn alle Files in /bin auf 700 root:root gesetzt.
[denkt euch hier eines dieser smileys das mit dem kopf gegen
die Wand hämmert]   [Maik Bader in suse-linux]

More information about the AppArmor mailing list