mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 14:55:10 +00:00
Code Issues Releases Wiki Activity

collapse_log(): avoid accidently initializing aa[profile]

Browse Source 
... or calling is_known_rule() on events for non-existing hats.

It's the usual hasher() "fun" again - accessing a non-existing element
will create its parent.

In theory this commit might be worth a backport. In practise, it doesn't cause
any visible problem.

However, starting with the next commit, it will cause lots of test errors.

Also add a missing is_known_rule() call for dbus rules, which might have
caused similar hasher() "fun".

(Backported from 9f1b2f4014)
This commit is contained in:
Christian Boltz
2020-05-20 20:06:27 +02:00
parent e038123f8f
commit 72c2a7d2de
1 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
utils/apparmor/aa.py
View File

@@ -1951,6 +1951,10 @@ def collapse_log():
for aamode in prelog.keys():
for profile in prelog[aamode].keys():
for hat in prelog[aamode][profile].keys():
# used to avoid to accidently initialize aa[profile][hat] or calling is_known_rule() on events for a non-existing profile
hat_exists = False
if aa.get(profile) and aa[profile].get(hat):
hat_exists = True
log_dict[aamode][profile][hat] = ProfileStorage(profile, hat, 'collapse_log()')
@@ -1976,12 +1980,12 @@ def collapse_log():
file_event = FileRule(path, mode, None, FileRule.ALL, owner=owner, log_event=True)
if not is_known_rule(aa[profile][hat], 'file', file_event):
if not hat_exists or not is_known_rule(aa[profile][hat], 'file', file_event):
log_dict[aamode][profile][hat]['file'].add(file_event)
for cap in prelog[aamode][profile][hat]['capability'].keys():
cap_event = CapabilityRule(cap, log_event=True)
if not is_known_rule(aa[profile][hat], 'capability', cap_event):
if not hat_exists or not is_known_rule(aa[profile][hat], 'capability', cap_event):
log_dict[aamode][profile][hat]['capability'].add(cap_event)
dbus = prelog[aamode][profile][hat]['dbus']
@@ -2004,20 +2008,21 @@ def collapse_log():
else:
raise AppArmorBug('unexpected dbus access: %s')
log_dict[aamode][profile][hat]['dbus'].add(dbus_event)
if not hat_exists or not is_known_rule(aa[profile][hat], 'dbus', dbus_event):
log_dict[aamode][profile][hat]['dbus'].add(dbus_event)
nd = prelog[aamode][profile][hat]['netdomain']
for family in nd.keys():
for sock_type in nd[family].keys():
net_event = NetworkRule(family, sock_type, log_event=True)
if not is_known_rule(aa[profile][hat], 'network', net_event):
if not hat_exists or not is_known_rule(aa[profile][hat], 'network', net_event):
log_dict[aamode][profile][hat]['network'].add(net_event)
ptrace = prelog[aamode][profile][hat]['ptrace']
for peer in ptrace.keys():
for access in ptrace[peer].keys():
ptrace_event = PtraceRule(access, peer, log_event=True)
if not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
log_dict[aamode][profile][hat]['ptrace'].add(ptrace_event)
sig = prelog[aamode][profile][hat]['signal']
@@ -2025,7 +2030,7 @@ def collapse_log():
for access in sig[peer].keys():
for signal in sig[peer][access].keys():
signal_event = SignalRule(access, signal, peer, log_event=True)
if not is_known_rule(aa[profile][hat], 'signal', signal_event):
if not hat_exists or not is_known_rule(aa[profile][hat], 'signal', signal_event):
log_dict[aamode][profile][hat]['signal'].add(signal_event)
return log_dict