[apparmor] [patch] fix "Invalid mode found: /usr/lib64/firefox/firefox.sh"

Seth Arnold seth.arnold at canonical.com
Wed Oct 15 08:37:29 UTC 2014 

On Sun, Oct 12, 2014 at 08:31:42PM +0200, Christian Boltz wrote:
> Hello,
> 
> you probably heard of Stallmanu's strange crash with
>     Invalid mode found: /usr/lib64/firefox/firefox.sh
> on IRC.
> 
> After several hours of debugging and flooding paste.opensuse.org ;-) 
> I finally found the reason - reading(!) from log_dict with a wrong 
> parameter caused the creation of that strange mode in log_dict.keys().
> 
> While finding that bug was very hard, the fix is easy - just replace 
> "profile" with "aamode". (That probably makes one char per hour of 
> debugging...)
> 
> To improve that ratio, also add a warning to common.py so that this 
> interesting[tm] behaviour of hasher() is at least documented.
> 
> === modified file 'utils/apparmor/aa.py'
> --- utils/apparmor/aa.py        2014-10-11 21:30:46 +0000
> +++ utils/apparmor/aa.py        2014-10-12 18:00:20 +0000
> @@ -1938,7 +1938,7 @@
>                  #
>                  for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):
>                      # severity handling for net toggles goes here
> -                    for sock_type in sorted(log_dict[profile][profile][hat]['netdomain'][family].keys()):
> +                    for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):
>                          if profile_known_network(aa[profile][hat], family, sock_type):
>                              continue
>                          default_option = 1

Nice debugging, thanks. Add this one to the pile of motivators for moving
further away from the Perl roots. (Of course it's Python, we'd never get a
compile time error for things like this, sigh[1], but we can get something
at runtime at least...)

> === modified file 'utils/apparmor/common.py'
> --- utils/apparmor/common.py    2014-10-10 18:35:32 +0000
> +++ utils/apparmor/common.py    2014-10-12 18:01:40 +0000
> @@ -200,6 +200,8 @@
>  def hasher():
>      '''A neat alternative to perl's hash reference'''
>      # Creates a dictionary for any depth and returns empty dictionary otherwise
> +    # WARNING: when reading non-existing sub-dicts, empty dicts will be added.
> +    #          This might cause strange effects when using .keys()
>      return collections.defaultdict(hasher)
>  
>  def convert_regexp(regexp):

Or better yet, remove hasher() at some point in the future. This is highly
surprising behaviour. :)

Thanks

Acked-by: Seth Arnold <seth.arnold at canonical.com>  on both

[1]: I'm sure this windmill is getting tired. Look, it's just standing there!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141015/5a06f39f/attachment.pgp>

More information about the AppArmor mailing list