[apparmor] aa.py: fix netrules_access_check()
Christian Boltz
apparmor at cboltz.de
Mon Oct 20 18:49:56 UTC 2014
Hello,
Am Sonntag, 19. Oktober 2014 schrieb Christian Boltz:
> netrules_access_check() in aa.py checks if
> type(netrules['rule'][family]) == dict
> however this check always returns false (at least with py3, I didn't
> test with py2).
>
> This broken type check is the reason for
> https://bugs.launchpad.net/apparmor/+bug/1380368
> aa-logprof doesn't propose abstractions for network rules
> and
> https://bugs.launchpad.net/apparmor/+bug/1380367
> aa-logprof asks for already existing network rules
>
> The following patch fixes both bugs:
> So the type check (or another check) is still needed. Any ideas how to
> implement it in a way that works?
After some discussion with Kshitij on #apparmor here's the working
patch.
Note that the type check itsself is (nearly?) always true, but it's
needed as a safety net because in theory netrules['rule'][family] could
be boolean True - see line 2994.
The sock_type in .....keys() check is there to ensure the hasher doesn't
automagically add an empty sub-dict, which caused the regression in the
first version of my patch.
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-10-20 18:07:24 +0000
+++ utils/apparmor/aa.py 2014-10-20 18:40:53 +0000
@@ -4460,7 +4460,8 @@
if netrules['rule'].get(family, False) is True:
all_net_family = True
if (netrules['rule'].get(family, False) and
- type(netrules['rule'][family]) == dict and
+ type(netrules['rule'][family]) == type(hasher()) and
+ sock_type in netrules['rule'][family].keys() and
netrules['rule'][family][sock_type]):
net_family_sock = True
Regards,
Christian Boltz
--
Programming today is a race between software engineers striving to build
bigger and better idiot-proof programs, and the Universe trying to
produce bigger and better idiots. So far, the Universe is winning.
More information about the AppArmor
mailing list