ask_exec: ignore events for missing profiles

... and not only for events in missing hats. This fixes a crash if the log contains exec events for a hat where not even the parent profile exists.
2025-08-31 22:35:35 +00:00 · 2024-06-30 21:41:45 +02:00
parent 24d424fd3c
commit 7928c41685
1 changed files with 4 additions and 1 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -774,9 +774,12 @@ def ask_exec(hashlog):
                        raise AppArmorBug(
                            'exec permissions requested for directory %s (profile %s). This should not happen - please open a bugreport!' % (exec_target, full_profile))

-                    if not aa[profile].get(hat):
+                    if not aa.get(profile):
                        continue  # ignore log entries for non-existing profiles

+                    if not aa[profile].get(hat):
+                        continue  # ignore log entries for non-existing hats
+
                    exec_event = FileRule(exec_target, None, FileRule.ANY_EXEC, FileRule.ALL, owner=False, log_event=True)
                    if is_known_rule(aa[profile][hat], 'file', exec_event):
                        continue