From 57ee8ee5b2464126b51da7eccbb0f16f5c0070d4 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Thu, 16 Apr 2015 13:10:44 +0200
Subject: [PATCH] Fix crash in serialize_profile_from_old_profiles()

Assume you have a profile like

    /bin/foo {
      /etc/ r,
      network,
      /usr/ r,
    }

(important: there must be be a non-path rule between the two path blocks)

Then run aa-logprof and add another path event. When choosing (V)iew changes,
it will crash with a misleading

  File ".../utils/apparmor/aamode.py", line 205, in split_mode
      other = mode - user
      TypeError: unsupported operand type(s) for -: 'collections.defaultdict' and 'set'

The reason for this is our beloved hasher, which is playing funny games
another time.

The patch wraps the hasher usage with a check for the parent element to
avoid auto-creation of empty childs, which then lead to the above crash.


BTW: This is another issue uncovered by the LibreOffice profile ;-)


Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
---
 utils/apparmor/aa.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 97e70a04f..f65abc16e 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -4129,14 +4129,17 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                 else:
                     tmpmode = str_to_mode(mode)
 
-                if not write_prof_data[hat][allow]['path'][path].get('mode', set()) & tmpmode:
+                if not write_prof_data[hat][allow]['path'].get(path):
                     correct = False
+                else:
+                    if not write_prof_data[hat][allow]['path'][path].get('mode', set()) & tmpmode:
+                        correct = False
 
-                if nt_name and not write_prof_data[hat][allow]['path'][path].get('to', False) == nt_name:
-                    correct = False
+                    if nt_name and not write_prof_data[hat][allow]['path'][path].get('to', False) == nt_name:
+                        correct = False
 
-                if audit and not write_prof_data[hat][allow]['path'][path].get('audit', set()) & tmpmode:
-                    correct = False
+                    if audit and not write_prof_data[hat][allow]['path'][path].get('audit', set()) & tmpmode:
+                        correct = False
 
                 if correct:
                     if not segments['path'] and True in segments.values():