[apparmor] regression introduced by this series
Steve Beattie
steve at nxnw.org
Tue Sep 27 00:40:37 UTC 2016
On Fri, Aug 12, 2016 at 10:40:39PM +0200, Christian Boltz wrote:
> this patch series introduces the FileRule and FileRuleset classes and
> changes several code sections to use these classes instead of the old
> 'path' hasher.
>
> the switch to FileRule made some bugs visible that survived unnoticed
> with hasher for years.
I've found a regression that occurs once patch
14-switch-to-FileRule.diff is applied (but still occurs with the entire
sequence applied), and occurs under either python2 or python3.
When merging two profiles that contain the following:
== PROFILE A ==
#include <tunables/global>
/usr/lib/postfix/smtpd {
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
capability dac_override,
capability dac_read_search,
/usr/lib/postfix/smtpd rix,
/usr/sbin/postdrop rpx,
}
== PROFILE B ==
#include <tunables/global>
/usr/lib/postfix/smtpd {
#include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
/usr/lib/postfix/smtpd rmix,
/usr/sbin/postdrop rPx,
}
== END PROFILES ==
i.e. their differences are:
--- usr.lib.postfix.smtpd 2016-09-26 17:30:35.848884709 -0700
+++ ../usr.lib.postfix.smtpd 2016-09-26 17:30:44.620874325 -0700
@@ -12,13 +12,12 @@
#include <tunables/global>
/usr/lib/postfix/smtpd {
- #include <abstractions/ssl_certs>
- #include <abstractions/ssl_keys>
+ #include <abstractions/openssl>
capability dac_override,
capability dac_read_search,
- /usr/lib/postfix/smtpd rix,
- /usr/sbin/postdrop rpx,
+ /usr/lib/postfix/smtpd rmix,
+ /usr/sbin/postdrop rPx,
}
Running aa-mergeprof fails, if the added include for
abstractions/openssl is allowed, followed by adjusting the postdrop
permissions, like so:
== BEGIN OUTPUT ==
Merging profile for /usr/lib/postfix/smtpd
File includes: Select the ones you wish to add
[1 - #include <abstractions/openssl>]
[(A)llow] / (I)gnore / Abo(r)t / (F)inish
Adding #include <abstractions/openssl> to the file.
Path: /usr/sbin/postdrop
Select the appropriate mode:
[1 - /usr/sbin/postdrop rpx,]
2 - /usr/sbin/postdrop rPx,
(A)llow / Abo(r)t
Path: /usr/sbin/postdrop
Select the appropriate mode:
1 - /usr/sbin/postdrop rpx,
[2 - /usr/sbin/postdrop rPx,]
(A)llow / Abo(r)t
Traceback (most recent call last):
File "./aa-mergeprof", line 457, in <module>
main()
File "./aa-mergeprof", line 126, in main
act([user_file, base_file, None], 2, profile_name)
File "./aa-mergeprof", line 144, in act
mergeprofiles.ask_the_questions('base', merging_profile)
File "./aa-mergeprof", line 331, in ask_the_questions
if is_known_rule(aa[profile][hat], ruletype, rule_obj):
File "${HOME}/bzr/apparmor-master/utils/apparmor/aa.py", line 3498, in is_known_rule
if include[incname][incname].get(rule_type, False):
KeyError: 'abstractions/openssl'
An unexpected error occoured!
For details, see /tmp/apparmor-bugreport-03m_vh3s.txt
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
== END OUTPUT ==
and here's the contents of the bugreport file. Hope this all helps track
down what's gone wrong:
KeyError
Python 3.5.2: /usr/bin/python3
Mon Sep 26 17:32:12 2016
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
${HOME}/bzr/apparmor-master/utils/aa-mergeprof in <module>()
448
449 edit_rule_obj.store_edit(newpath)
450 options, default_option = add_to_options(options, edit_rule_obj.get_raw())
451 apparmor.aa.user_globs[newpath] = AARE(newpath, True)
452
453 else:
454 done = False
455
456 if __name__ == '__main__':
457 main()
main = <function main>
${HOME}/bzr/apparmor-master/utils/aa-mergeprof in main()
121 continue
122
123 act([user_file, other_file, None], 2, profile_name)
124 else:
125 if other_file == None:
126 act([user_file, base_file, None], 2, profile_name)
127 else:
128 act([user_file, base_file, other_file], 3, profile_name)
129
130 reset_aa()
global act = <function act>
user_file = '${HOME}/tmp/aa-mergeprof-regression/usr.lib.postfix.smtpd'
base_file = '${HOME}/tmp/usr.lib.postfix.smtpd'
profile_name = '/usr/lib/postfix/smtpd'
${HOME}/bzr/apparmor-master/utils/aa-mergeprof in act(files=['${HOME}/tmp/aa-mergeprof-regression/usr.lib.postfix.smtpd', '${HOME}/tmp/usr.lib.postfix.smtpd', None], merge_mode=2, merging_profile='/usr/lib/postfix/smtpd')
139 if merge_mode == 3:
140 mergeprofiles.ask_the_questions('other', merging_profile)
141
142 mergeprofiles.clear_common()
143
144 mergeprofiles.ask_the_questions('base', merging_profile)
145
146 q = aaui.PromptQuestion()
147 q.title = _('Changed Local Profiles')
148 q.explanation = _('The following local profiles were changed. Would you like to save them?')
mergeprofiles = <__main__.Merge object>
mergeprofiles.ask_the_questions = <bound method Merge.ask_the_questions of <__main__.Merge object>>
merging_profile = '/usr/lib/postfix/smtpd'
${HOME}/bzr/apparmor-master/utils/aa-mergeprof in ask_the_questions(self=<__main__.Merge object>, other=<apparmor.cleanprofile.Prof object>, profile='/usr/lib/postfix/smtpd')
326
327 for ruletype in apparmor.aa.ruletypes:
328 if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization
329 for rule_obj in other.aa[profile][hat][ruletype].rules:
330
331 if is_known_rule(aa[profile][hat], ruletype, rule_obj):
332 continue
333
334 default_option = 1
335 options = []
global is_known_rule = <function is_known_rule>
aa = defaultdict(<function hasher at 0x7efff9045268>,...mergeprof-regression/usr.lib.postfix.smtpd'})})})
profile = '/usr/lib/postfix/smtpd'
hat = '/usr/lib/postfix/smtpd'
ruletype = 'file'
rule_obj = <FileRule> /usr/lib/postfix/smtpd rmix,
${HOME}/bzr/apparmor-master/utils/apparmor/aa.py in is_known_rule(profile=defaultdict(<function hasher at 0x7efff9045268>,.../aa-mergeprof-regression/usr.lib.postfix.smtpd'}), rule_type='file', rule_obj=<FileRule> /usr/lib/postfix/smtpd rmix,)
3493 checked.append(incname)
3494
3495 if os.path.isdir(profile_dir + '/' + incname):
3496 includelist += include_dir_filelist(profile_dir, incname)
3497 else:
3498 if include[incname][incname].get(rule_type, False):
3499 if include[incname][incname][rule_type].is_covered(rule_obj, False):
3500 return True
3501
3502 for childinc in include[incname][incname]['include'].keys():
global include = {'abstractions/ssl_certs': defaultdict(<function hasher at 0x7efff9045268>,...nclude'}, 'rlimit': <RlimitRuleset (empty) />})}), 'abstractions/ssl_keys': defaultdict(<function hasher at 0x7efff9045268>,...nclude'}, 'rlimit': <RlimitRuleset (empty) />})}), 'tunables/alias': defaultdict(<function hasher at 0x7efff9045268>,...ables/alias', 'dbus': <DbusRuleset (empty) />})}), 'tunables/global': defaultdict(<function hasher at 0x7efff9045268>,...mpty) />, 'rlimit': <RlimitRuleset (empty) />})}), 'tunables/home': defaultdict(<function hasher at 0x7efff9045268>,...e/'}, '@{HOME}': {'@{HOMEDIRS}/*/', '/root/'}})}), 'tunables/home.d/site.local': defaultdict(<function hasher at 0x7efff9045268>,.../site.local', 'dbus': <DbusRuleset (empty) />})}), 'tunables/kernelvars': defaultdict(<function hasher at 0x7efff9045268>,..., '@{tid}': {'@{pid}'}, '@{pids}': {'@{pid}'}})}), 'tunables/multiarch': defaultdict(<function hasher at 0x7efff9045268>,...ff9045268>, {'@{multiarch}': {'*-linux-gnu*'}})}), 'tunables/multiarch.d/site.local': defaultdict(<function hasher at 0x7efff9045268>,.../site.local', 'dbus': <DbusRuleset (empty) />})}), 'tunables/proc': defaultdict(<function hasher at 0x7efff9045268>,...er at 0x7efff9045268>, {'@{PROC}': {'/proc/'}})}), ...}
incname = 'abstractions/openssl'
].get undefined
rule_type = 'file'
KeyError: 'abstractions/openssl'
__cause__ = None
__class__ = <class 'KeyError'>
__context__ = None
__delattr__ = <method-wrapper '__delattr__' of KeyError object>
__dict__ = {}
__dir__ = <built-in method __dir__ of KeyError object>
__doc__ = 'Mapping key not found.'
__eq__ = <method-wrapper '__eq__' of KeyError object>
__format__ = <built-in method __format__ of KeyError object>
__ge__ = <method-wrapper '__ge__' of KeyError object>
__getattribute__ = <method-wrapper '__getattribute__' of KeyError object>
__gt__ = <method-wrapper '__gt__' of KeyError object>
__hash__ = <method-wrapper '__hash__' of KeyError object>
__init__ = <method-wrapper '__init__' of KeyError object>
__le__ = <method-wrapper '__le__' of KeyError object>
__lt__ = <method-wrapper '__lt__' of KeyError object>
__ne__ = <method-wrapper '__ne__' of KeyError object>
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of KeyError object>
__reduce_ex__ = <built-in method __reduce_ex__ of KeyError object>
__repr__ = <method-wrapper '__repr__' of KeyError object>
__setattr__ = <method-wrapper '__setattr__' of KeyError object>
__setstate__ = <built-in method __setstate__ of KeyError object>
__sizeof__ = <built-in method __sizeof__ of KeyError object>
__str__ = <method-wrapper '__str__' of KeyError object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__suppress_context__ = False
__traceback__ = <traceback object>
args = ('abstractions/openssl',)
with_traceback = <built-in method with_traceback of KeyError object>
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "./aa-mergeprof", line 457, in <module>
main()
File "./aa-mergeprof", line 126, in main
act([user_file, base_file, None], 2, profile_name)
File "./aa-mergeprof", line 144, in act
mergeprofiles.ask_the_questions('base', merging_profile)
File "./aa-mergeprof", line 331, in ask_the_questions
if is_known_rule(aa[profile][hat], ruletype, rule_obj):
File "${HOME}/bzr/apparmor-master/utils/apparmor/aa.py", line 3498, in is_known_rule
if include[incname][incname].get(rule_type, False):
KeyError: 'abstractions/openssl'
Please consider reporting a bug at https://bugs.launchpad.net/apparmor/
and attach this file.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160926/bba05a95/attachment-0001.pgp>
More information about the AppArmor
mailing list