[apparmor] [patch] Ignore change hat declarations when parsing a profile

Sun Jun 7 12:25:51 UTC 2015

Hello,

Hat declarations ("^hat,") were added in 2.3 for declaring external
hats, but in the meantime aren't supported by the parser anymore (tested
with 2.9.2 parser).

Additionally, if a profile contains both a hat declaration and the hat
("^hat { ...}"), the hat declaration can overwrite the content of the
hat on a "last one wins" base.

This is caused by setting 'declared' to True, which means write_piece()
will only write the "^hat," line, but not the "^hat { ... }" block.

Therefore no longer set 'declared' to True, print a warning that hat
declarations are no longer supported, and ignore the rule. This also
means that running aa-cleanprof can make the profile valid again :-)

Also no longer change 'hat' when hitting a profile declaration, which 
also looks wrong.


Note: This change removes the only usage of 'declared'. A follow-up
patch (trunk only) will completely remove the 'declared' handling.


Reproducer profile (run aa-cleanprof on it):
(will crash in remove_duplicate_rules() 80% of the time - if so, try
multiple times. One of the next patches will fix that. Or just try 2.9, 
which doesn't have the crash in remove_duplicate_rules().)

/usr/bin/true {

  ^FOO {
    capability setgid,
  }

  # deletes the content of ^FOO when saving the profile! (last one wins)
  # additionally, the parser says this is invalid syntax
  ^FOO,

}


See also the "Hat declarations" thread on the ML,
https://lists.ubuntu.com/archives/apparmor/2015-June/008107.html


I propose this patch for trunk and 2.9.


[ 46-obsolete-change-hat.diff ]

=== modified file utils/apparmor/aa.py

--- utils/apparmor/aa.py        2015-06-06 14:54:10.584133536 +0200
+++ utils/apparmor/aa.py        2015-06-07 13:06:52.764908018 +0200
@@ -2992,11 +2992,8 @@
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected change hat declaration found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
 
-            hat = matches[0]
-            hat = strip_quotes(hat)
-
-            if not profile_data[profile][hat].get('declared', False):
-                profile_data[profile][hat]['declared'] = True
+            aaui.UI_Important(_('Ignoring no longer supported change hat declaration "^%(hat)s," found in file: %(file)s line: %(line)s') % {
+                    'hat': matches[0], 'file': file, 'line': lineno + 1 })
 
         elif RE_PROFILE_HAT_DEF.search(line):
             # An embedded hat syntax definition starts



Regards,

Christian Boltz
-- 
> Leider Gottes ist es so, daß wenn man einen Spammer zu Strecke
> gebracht hat, dafür drei neue auftauchen.
Das ist wie bei den Fliegen. Schlägst Du eine Tot, kommen 40 zur
Beerdigung. ;)   [> Martin Mewes und Michael Raab in suse-linux]


