Simplify handling of in_contained_hat

in_contained_hat is needed to know if we are already in a profile or not. (Simply checking if we are in a hat doesn't work, because something like "profile foo//bar" will set profile and hat at once, and later (wrongfully) expect another "}". However, the way how this variable was set became too complicated. To simplify the code, set in_contained_hat directly in parse_profile_data() RE_PROFILE_START instead of returning it via parse_profile_start() and parse_profile_start_to_storage() Since this change removes a return value from two functions, also adjust the tests accordingly.
2025-09-04 00:05:14 +00:00 · 2021-02-14 20:09:31 +01:00
parent 7cfda2772d
commit f7a365f89f
2 changed files with 26 additions and 21 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1788,7 +1788,6 @@ def parse_profile_start(line, file, lineno, profile, hat):
                    'profile': profile, 'file': file, 'line': lineno + 1 })
        hat = matches['profile']
        in_contained_hat = True
        pps_set_profile = True
        pps_set_hat_external = False
@@ -1803,19 +1802,18 @@ def parse_profile_start(line, file, lineno, profile, hat):
            hat = profile
            pps_set_hat_external = False
        in_contained_hat = False
        pps_set_profile = False
    attachment = matches['attachment']
    flags = matches['flags']
    xattrs = matches['xattrs']
-    return (profile, hat, attachment, xattrs, flags, in_contained_hat, pps_set_profile, pps_set_hat_external)
+    return (profile, hat, attachment, xattrs, flags, pps_set_profile, pps_set_hat_external)
 def parse_profile_start_to_storage(line, file, lineno, profile, hat):
    ''' parse a profile start line (using parse_profile_startline()) and convert it to a ProfileStorage '''
-    (profile, hat, attachment, xattrs, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
+    (profile, hat, attachment, xattrs, flags, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
    prof_storage = ProfileStorage(profile, hat, 'parse_profile_data() profile_start')
@@ -1831,7 +1829,7 @@ def parse_profile_start_to_storage(line, file, lineno, profile, hat):
    prof_storage['xattrs'] = xattrs
    prof_storage['flags'] = flags
-    return (profile, hat, in_contained_hat, prof_storage)
+    return (profile, hat, prof_storage)
 def parse_profile_data(data, file, do_include):
    profile_data = hasher()
@@ -1858,13 +1856,21 @@ def parse_profile_data(data, file, do_include):
            lastline = None
        # Starting line of a profile
        if RE_PROFILE_START.search(line):
-            (profile, hat, in_contained_hat, prof_storage) = parse_profile_start_to_storage(line, file, lineno, profile, hat)
+            # in_contained_hat is needed to know if we are already in a profile or not. (Simply checking if we are in a hat doesn't work,
            # because something like "profile foo//bar" will set profile and hat at once, and later (wrongfully) expect another "}".
            # The logic is simple and resembles a "poor man's stack" (with limited/hardcoded height).
            if profile:
                in_contained_hat = True
            else:
                in_contained_hat = False
            (profile, hat, prof_storage) = parse_profile_start_to_storage(line, file, lineno, profile, hat)
            if profile_data[profile].get(hat, False):
                raise AppArmorException('Profile %(profile)s defined twice in %(file)s, last found in line %(line)s' %
                    { 'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat) })
-            profile_data[profname] = prof_storage
+            profile_data[profile][hat] = prof_storage
            # Save the initial comment
            if initial_comment:
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -507,16 +507,16 @@ class AaTest_is_skippable_dir(AATest):
 class AaTest_parse_profile_start(AATest):
    tests = [
-        # profile start line                                    profile hat          profile                    hat                attachment   xattrs                      flags       in_contained_hat, pps_set_profile, pps_set_hat_external
+        # profile start line                                    profile hat          profile                    hat                attachment   xattrs                      flags       pps_set_profile, pps_set_hat_external
-        (('/foo {',                                             None,   None),      ('/foo',                    '/foo',                 None,   None,                       None,       False,  False,  False)),
+        (('/foo {',                                             None,   None),      ('/foo',                    '/foo',                 None,   None,                       None,       False,           False)),
-        (('/foo (complain) {',                                  None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False,  False,  False)),
+        (('/foo (complain) {',                                  None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False,           False)),
-        (('profile foo /foo {',                                 None,   None),      ('foo',                     'foo',                  '/foo', None,                       None,       False,  False,  False)),            # named profile
+        (('profile foo /foo {',                                 None,   None),      ('foo',                     'foo',                  '/foo', None,                       None,       False,           False)),            # named profile
-        (('profile /foo {',                                     '/bar', '/bar'),    ('/bar',                    '/foo',                 None,   None,                       None,       True,   True,   False)),            # child profile
+        (('profile /foo {',                                     '/bar', '/bar'),    ('/bar',                    '/foo',                 None,   None,                       None,       True,            False)),            # child profile
-        (('/foo//bar {',                                        None,   None),      ('/foo',                    'bar',                  None,   None,                       None,       False,  False,  True )),            # external hat
+        (('/foo//bar {',                                        None,   None),      ('/foo',                    'bar',                  None,   None,                       None,       False,           True )),            # external hat
-        (('profile "/foo" (complain) {',                        None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False,  False,  False)),
+        (('profile "/foo" (complain) {',                        None,   None),      ('/foo',                    '/foo',                 None,   None,                       'complain', False,           False)),
-        (('profile "/foo" xattrs=(user.bar=bar) {',             None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar',             None,       False,  False,  False)),
+        (('profile "/foo" xattrs=(user.bar=bar) {',             None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar',             None,       False,           False)),
-        (('profile "/foo" xattrs=(user.bar=bar user.foo=*) {',  None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar user.foo=*',  None,       False,  False,  False)),
+        (('profile "/foo" xattrs=(user.bar=bar user.foo=*) {',  None,   None),      ('/foo',                    '/foo',                 None,   'user.bar=bar user.foo=*',  None,       False,           False)),
-        (('/usr/bin/xattrs-test xattrs=(myvalue="foo.bar") {',  None,   None),      ('/usr/bin/xattrs-test',    '/usr/bin/xattrs-test', None,   'myvalue="foo.bar"',        None,       False,  False,  False)),
+        (('/usr/bin/xattrs-test xattrs=(myvalue="foo.bar") {',  None,   None),      ('/usr/bin/xattrs-test',    '/usr/bin/xattrs-test', None,   'myvalue="foo.bar"',        None,       False,           False)),
    ]
    def _run_test(self, params, expected):
@@ -524,7 +524,7 @@ class AaTest_parse_profile_start(AATest):
        self.assertEqual(parsed, expected)
-        (profile, hat, in_contained_hat, prof_storage) = parse_profile_start_to_storage(params[0], 'somefile', 1, params[1], params[2])
+        (profile, hat, prof_storage) = parse_profile_start_to_storage(params[0], 'somefile', 1, params[1], params[2])
        self.assertEqual(profile,                       expected[0])
        self.assertEqual(hat,                           expected[1])
@@ -534,9 +534,8 @@ class AaTest_parse_profile_start(AATest):
            self.assertEqual(prof_storage['attachment'],    expected[2])
        self.assertEqual(prof_storage['xattrs'],        expected[3])
        self.assertEqual(prof_storage['flags'],         expected[4])
-        self.assertEqual(in_contained_hat,              expected[5])
+        self.assertEqual(prof_storage['profile'],       expected[5])
-        self.assertEqual(prof_storage['profile'],       expected[6])
+        self.assertEqual(prof_storage['external'],      expected[6])
        self.assertEqual(prof_storage['external'],      expected[7])
 class AaTest_parse_profile_start_errors(AATest):
    tests = [