parse_profile_start(): get rid of pps_set_profile

This value is True if we are in a child profile (not: hat), but that's information we get "for free", so there's no need to hand it around. Besides that, it was wrongly set to False for main profiles (which are not hats). Remove the pps_set_profile return value from parse_profile_start(), and always assume True unless we were parsing a hat. For completeness, explicitely set it to False when parsing a hat. To make sure child profiles and hats don't get mixed up, add a child profile to cleanprof_test.{in,out}. test-libapparmor-test_multi.py always interpreted foo//bar as being a hat, therefore explicitely mark them as such. (Technically not really needed since this is the default, but it helps to make things clear.)
2025-08-30 22:05:27 +00:00 · 2021-04-12 13:02:58 +02:00
parent a7816e1a8f
commit e1af0cdeca
5 changed files with 26 additions and 19 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1783,7 +1783,6 @@ def parse_profile_start(line, file, lineno, profile, hat):
                    'profile': profile, 'file': file, 'line': lineno + 1 })

        hat = matches['profile']
-        pps_set_profile = True
        pps_set_hat_external = False

    else:  # stand-alone profile
@@ -1797,25 +1796,22 @@ def parse_profile_start(line, file, lineno, profile, hat):
            hat = profile
            pps_set_hat_external = False

-        pps_set_profile = False
-
    attachment = matches['attachment']
    flags = matches['flags']
    xattrs = matches['xattrs']

-    return (profile, hat, attachment, xattrs, flags, pps_set_profile, pps_set_hat_external)
+    return (profile, hat, attachment, xattrs, flags, pps_set_hat_external)

 def parse_profile_start_to_storage(line, file, lineno, profile, hat):
    ''' parse a profile start line (using parse_profile_startline()) and convert it to a ProfileStorage '''

-    (profile, hat, attachment, xattrs, flags, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
+    (profile, hat, attachment, xattrs, flags, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)

    prof_storage = ProfileStorage(profile, hat, 'parse_profile_data() profile_start')

+    prof_storage['profile'] = True
    if attachment:
        prof_storage['attachment'] = attachment
-    if pps_set_profile:
-        prof_storage['profile'] = True
    if pps_set_hat_external:
        prof_storage['external'] = True

@@ -2023,6 +2019,7 @@ def parse_profile_data(data, file, do_include, in_preamble):
            if not profile_data.get(profname, False):
                profile_data[profname] = ProfileStorage(profile, hat, 'parse_profile_data() hat_def')
                profile_data[profname]['filename'] = file
+                profile_data[profname]['profile'] = False

            flags = matches.group('flags')

--- a/utils/test/cleanprof_test.in
+++ b/utils/test/cleanprof_test.in
@@ -47,6 +47,10 @@ $foo = false
    dbus send bus=session,
    dbus send bus=session peer=(label=foo),

+    profile test_child /foobar {
+            /etc/child rw,
+            }
+
    set rlimit nofile <= 256,
    set rlimit nofile <= 64,

--- a/utils/test/cleanprof_test.out
+++ b/utils/test/cleanprof_test.out
@@ -52,6 +52,11 @@ $bar = true
    /etc/fstab r,

  }
+
+  profile test_child /foobar {
+    /etc/child rw,
+
+  }
 }
 /usr/bin/other/cleanprof/test/profile {
  allow /home/*/** rw,
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -484,16 +484,16 @@ class AaTest_is_skippable_file(AATest):

 class AaTest_parse_profile_start(AATest):
    tests = [
-        # profile start line                                    profile hat          profile                    hat                attachment   xattrs                      flags       pps_set_profile, pps_set_hat_external
-        (('/foo {',                                             None,   None),      ('/foo',                    '/foo',                 None,   None,                       None,       False,           False)),
-        (('/foo (complain) {',                                  None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False,           False)),
-        (('profile foo /foo {',                                 None,   None),      ('foo',                     'foo',                  '/foo', None,                       None,       False,           False)),            # named profile
-        (('profile /foo {',                                     '/bar', None),      ('/bar',                    '/foo',                 None,   None,                       None,       True,            False)),            # child profile
-        (('/foo//bar {',                                        None,   None),      ('/foo',                    'bar',                  None,   None,                       None,       False,           True )),            # external hat
-        (('profile "/foo" (complain) {',                        None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False,           False)),
-        (('profile "/foo" xattrs=(user.bar=bar) {',             None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar',             None,       False,           False)),
-        (('profile "/foo" xattrs=(user.bar=bar user.foo=*) {',  None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar user.foo=*',  None,       False,           False)),
-        (('/usr/bin/xattrs-test xattrs=(myvalue="foo.bar") {',  None,   None),      ('/usr/bin/xattrs-test',    '/usr/bin/xattrs-test', None,   'myvalue="foo.bar"',        None,       False,           False)),
+        # profile start line                                    profile hat          profile                    hat                attachment   xattrs                      flags       pps_set_hat_external
+        (('/foo {',                                             None,   None),      ('/foo',                    '/foo',                 None,   None,                       None,       False)),
+        (('/foo (complain) {',                                  None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False)),
+        (('profile foo /foo {',                                 None,   None),      ('foo',                     'foo',                  '/foo', None,                       None,       False)),            # named profile
+        (('profile /foo {',                                     '/bar', None),      ('/bar',                    '/foo',                 None,   None,                       None,       False)),            # child profile
+        (('/foo//bar {',                                        None,   None),      ('/foo',                    'bar',                  None,   None,                       None,       True )),            # external hat
+        (('profile "/foo" (complain) {',                        None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False)),
+        (('profile "/foo" xattrs=(user.bar=bar) {',             None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar',             None,       False)),
+        (('profile "/foo" xattrs=(user.bar=bar user.foo=*) {',  None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar user.foo=*',  None,       False)),
+        (('/usr/bin/xattrs-test xattrs=(myvalue="foo.bar") {',  None,   None),      ('/usr/bin/xattrs-test',    '/usr/bin/xattrs-test', None,   'myvalue="foo.bar"',        None,       False)),
    ]

    def _run_test(self, params, expected):
@@ -511,8 +511,8 @@ class AaTest_parse_profile_start(AATest):
            self.assertEqual(prof_storage['attachment'],    expected[2])
        self.assertEqual(prof_storage['xattrs'],        expected[3])
        self.assertEqual(prof_storage['flags'],         expected[4])
-        self.assertEqual(prof_storage['profile'],       expected[5])
-        self.assertEqual(prof_storage['external'],      expected[6])
+        self.assertEqual(prof_storage['profile'],       True)
+        self.assertEqual(prof_storage['external'],      expected[5])

 class AaTest_parse_profile_start_errors(AATest):
    tests = [
--- a/utils/test/test-libapparmor-test_multi.py
+++ b/utils/test/test-libapparmor-test_multi.py
@@ -256,6 +256,7 @@ def logfile_to_profile(logfile):
        # (in "normal" usage outside of this test, log_dict will not be handed over to serialize_profile())

        log_dict[aamode][profile] = apparmor.aa.ProfileStorage('TEST DUMMY for empty parent profile', profile_dummy_file, 'logfile_to_profile()')
+        log_dict[aamode][parsed_event['profile']]['profile'] = False  # for historical reasons, generate hats, not child profiles

    log_is_empty = True