[apparmor] [patch] [39/38] Ignore exec events for non-existing profiles
Steve Beattie
steve at nxnw.org
Mon Sep 26 23:49:11 UTC 2016
On Sun, Aug 14, 2016 at 09:28:18PM +0200, Christian Boltz wrote:
> the switch to FileRule made some bugs visible that survived unnoticed
> with hasher for years.
>
> If aa-logprof sees an exec event for a non-existing profile _and_ a
> profile file matching the expected profile filename exists in
> /etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
> being silent). In the old code, this created a superfluous entry
> somewhere in the aa hasher, and caused the existing profile to be
> rewritten (without changes).
>
> However, with FileRule it causes a crash saying
>
> File ".../utils/apparmor/aa.py", line 1335, in handle_children
> aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
> AttributeError: 'collections.defaultdict' object has no attribute 'add'
>
> This patch makes sure exec events for unknown profiles get ignored.
>
>
>
> Reproducer:
>
> python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
>
> This causes a crash without this patch because
> /etc/apparmor.d/sbin.klogd exists, but has
> profile klogd /{usr/,}sbin/klogd {
>
>
>
> Even if it's unlikely that users hit this bug in the wild, I also
> propose this patch for 2.10 and 2.9.
Acked-by: Steve Beattie <steve at nxnw.org> for all three. Thanks.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160926/fe578db3/attachment.pgp>
More information about the AppArmor
mailing list