mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

Fix crash caused by ask_exec()

Browse Source 
ask_exec still uses aa[profile][hat], therefore
- use full_profile when accessing hashlog
- correctly split the merged profile name to profile and hat
- avoid accidently initializing non-existing aa[profile][hat]

This fixes a regression from converting lots of code to use flat
profile//hat array keys.

(cherry picked from commit 755b5d11e1)
This commit is contained in:
Christian Boltz
2021-06-27 21:00:33 +02:00
parent caccb88a9b
commit abcf4a8756
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
utils/apparmor/aa.py
View File

@@ -812,22 +812,22 @@ def ask_exec(hashlog):
'''ask the user about exec events (requests to execute another program) and which exec mode to use''' '''ask the user about exec events (requests to execute another program) and which exec mode to use'''
for aamode in hashlog: for aamode in hashlog:
for profile in hashlog[aamode]: for full_profile in hashlog[aamode]:
if '//' in hashlog[aamode][profile]['final_name'] and hashlog[aamode][profile]['exec'].keys(): if '//' in hashlog[aamode][full_profile]['final_name'] and hashlog[aamode][full_profile]['exec'].keys():
# TODO: is this really needed? Or would removing Cx from the options be good enough? # TODO: is this really needed? Or would removing Cx from the options be good enough?
aaui.UI_Important('WARNING: Ignoring exec event in %s, nested profiles are not supported yet.' % hashlog[aamode][profile]['final_name']) aaui.UI_Important('WARNING: Ignoring exec event in %s, nested profiles are not supported yet.' % hashlog[aamode][full_profile]['final_name'])
continue continue
hat = profile # XXX temporary solution to avoid breaking the existing code profile, hat = split_name(full_profile) # XXX temporary solution to avoid breaking the existing code
for exec_target in hashlog[aamode][profile]['exec']: for exec_target in hashlog[aamode][full_profile]['exec']:
for target_profile in hashlog[aamode][profile]['exec'][exec_target]: for target_profile in hashlog[aamode][full_profile]['exec'][exec_target]:
to_name = '' to_name = ''
if os.path.isdir(exec_target): if os.path.isdir(exec_target):
raise AppArmorBug('exec permissions requested for directory %s. This should not happen - please open a bugreport!' % exec_target) raise AppArmorBug('exec permissions requested for directory %s. This should not happen - please open a bugreport!' % exec_target)
if not aa[profile][hat]: if not aa[profile].get(hat):
continue # ignore log entries for non-existing profiles continue # ignore log entries for non-existing profiles
exec_event = FileRule(exec_target, None, FileRule.ANY_EXEC, FileRule.ALL, owner=False, log_event=True) exec_event = FileRule(exec_target, None, FileRule.ANY_EXEC, FileRule.ALL, owner=False, log_event=True)