mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

aa-remove-unknown: abort on parser failure

Browse Source 
If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.

Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0

Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```

After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```

And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
This commit is contained in:
Christian Boltz 2022-02-11 22:48:04 +01:00
parent e726ebe376
commit 5053a01d84
No known key found for this signature in database
GPG Key ID: C6A682EA63C82F1C
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
utils/aa-remove-unknown
View File

@ -78,7 +78,14 @@ fi
# parent. We *do* need to remove the child profile and not rely
# on removing the parent profile when the profile has had its
# child profile names changed.
profiles_names_list | awk '
LOADED_PROFILES=$("$PARSER" -N $PROFILE_DIRS) || {
ret=$?
echo 'apparmor_parser exited with failure, aborting.' >&2
exit $ret
}
echo "$LOADED_PROFILES" | awk '
BEGIN {
while (getline < "'${PROFILES}'" ) {
str = sub(/ \((enforce|complain)\)$/, "", $0);