[apparmor] [patch] fix "list index out of range" when allowing inet rules

Christian Boltz apparmor at cboltz.de
Tue Oct 14 19:34:16 UTC 2014 

Hello,

Am Dienstag, 14. Oktober 2014 schrieb Steve Beattie:
> On Sun, Oct 12, 2014 at 08:45:44PM +0200, Christian Boltz wrote:
> > another (this time easy) bug found by Stallmanu:
> > 
> > When adding inet rules in aa-logprof, it crashes with
> > 
> >     IndexError: list index out of range
> > 
> > The reason is that it doesn't display the options if only the raw
> > rule is available (aka "no abstraction").
> > 
> > This patch checks if options[] is set and otherwise sets selection
> > to
> > the raw rule.
> > 
> > As an alternative, we could always display the options - even if
> > only
> > one option is available. Opinions?
> 
> I think I'm okay with this patch as is, though I don't know this code
> well enough to know what "display the options" means; I thought the
> CMD_ALLOW indicated that the user had already accepted a choice, but
> probably that's my misunderstanding. Would adding it to the options
> list give the user the opportunity to modify the proposed rule (e.g.
> shorten 'network inet dgram,' down to 'network inet' say) and not
> adding it prevent that? Because if so, then I think we ought to offer
> the option.

Basically we are talking about (current status)


Complain-mode changes:

Profile:        /home/sys-tmp/ping
Network Family: inet
Socket Type:    dgram

[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish


vs. ("always display options")


Complain-mode changes:

Profile:        /home/sys-tmp/ping
Network Family: inet
Socket Type:    dgram

  [1] network inet dgram

[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish


Note the added "[1] network inet dgram" line.

Until now, you are probably the first who thought about offering (G)lob 
for network rules. That's a nice idea, but a different topic ;-)
I opened https://bugs.launchpad.net/apparmor/+bug/1381202 to make sure 
we don't forget it.

> (But I can live with the patch as is, so
> Acked-by: Steve Beattie <steve at nxnw.org> if you don't want to do
> that.)

I just commited it to get the crash fixed. 

If we decide to always display the options (even if only one is 
available), we can easily revert to the previous code without the "if 
options:" check.


Regards,

Christian Boltz
-- 
> Ist das sone Art wie cat sigdatei | grep suchstring?
Oh nein - nicht schon wieder! Hilfeeee, Doktor! Ich sehe
schon wieder so einen unnötigen cat ;-)
[> Michael Raab und Jan Trippler in suse-linux]

More information about the AppArmor mailing list