[apparmor] aa.py: fix netrules_access_check()

Christian Boltz apparmor at cboltz.de
Sun Oct 19 20:34:03 UTC 2014 

Hello,

[might need the patch from
    [patch] aa.py: use correct variable in match_net_includes()
applied]

netrules_access_check() in aa.py checks if 
    type(netrules['rule'][family]) == dict
however this check always returns false (at least with py3, I didn't
test with py2).

This broken type check is the reason for
https://bugs.launchpad.net/apparmor/+bug/1380368
    aa-logprof doesn't propose abstractions for network rules
and 
https://bugs.launchpad.net/apparmor/+bug/1380367
    aa-logprof asks for already existing network rules

The following patch fixes both bugs:

=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py        2014-10-16 20:03:42 +0000
+++ utils/apparmor/aa.py        2014-10-19 19:09:49 +0000
@@ -4460,7 +4461,7 @@
     if netrules['rule'].get(family, False) is True:
         all_net_family = True
     if (netrules['rule'].get(family, False) and
-            type(netrules['rule'][family]) == dict and
+            # type(netrules['rule'][family]) == dict and  # always False!
             netrules['rule'][family][sock_type]):
         net_family_sock = True


Unfortunately this patch it also introduces a regression - it adds more 
than the user allowed:

# aa-logprof 
Reading log entries from /var/log/audit/audit.log.
Aktualisiere AppArmor-Profile in /etc/apparmor.d.
Änderungen im complain-Modus

Profil:          /home/sys-tmp/ping
Netzwerkfamilie: inet
Socket-Typ:      dgram

 [1 - #include <abstractions/nameservice>]
  2 - network inet dgram 
[(A)llow] / (D)eny / (I)gnorieren / Audi(t) / Abo(r)t / (F)inish
    - pressed 2 -

Profil:          /home/sys-tmp/ping
Netzwerkfamilie: inet
Socket-Typ:      dgram

  1 - #include <abstractions/nameservice> 
 [2 - network inet dgram]
[(A)llow] / (D)eny / (I)gnorieren / Audi(t) / Abo(r)t / (F)inish
    - pressed (A)llow -
Netzwerkzugriff inet dgram wird zum Profil hinzugefügt.

Profil:          /home/sys-tmp/ping
Netzwerkfamilie: inet
Socket-Typ:      raw

[(A)llow] / (D)eny / (I)gnorieren / Audi(t) / Abo(r)t / (F)inish
    - pressed (F)inish -

= Changed Local Profiles =


So far, so good. In theory, the profile should get "network inet dgram"
added. However, (V)iew changes displays:

--- /etc/apparmor.d/home.sys-tmp.ping   2014-10-19 21:27:51.179107612 +0200
+++ /tmp/tmpvzr1hl1d    2014-10-19 21:41:22.248311611 +0200
@@ -11,4 +11,7 @@
   /home/sys-tmp/ping mr,
   /run/nscd/* r,
 
+network inet dgram,
+network inet raw,
+
 }


I have no idea why "network inet raw" was added, but it only happens
with the above patch applied. Therefore I'll self-NAK my patch ;-)

So the type check (or another check) is still needed. Any ideas how to 
implement it in a way that works?


Regards,

Christian Boltz
-- 
Re: [bulk]: Re: [bulk]: Re: [bulk]: Re: [bulk]: Re: [bulk]: Re: [bulk]:
> So ungefähr sieht die Betreff-Leiste Aus, wenn der Re: [bulk]: Re: 
> [bulk]: Blödsinn noch 'ne Weile weitergeführt wird.
Die Leute wollten vermutlich nur das ebenso schwachsinnige Subject "AW:
AW: AW: AW: AW:" der letzten Tage uebertreffen ;-)
[Martin Falley und Thomas Hertweck in suse-linux]

More information about the AppArmor mailing list