Re: [apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules

Mon, 13 Apr 2015 11:45:47 -0700 

On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
> Hello,
> 
> CleanProf.remove_duplicate_rules() didn't call
>   $profile['capability'].delete_duplicates()
> because aa-cleanprof sets same_file=True.
> 
> Fix this by calling delete_duplicates(None) so that it
> only checks the profile against itsself.
>
> [ 43-cleanprof-do-in-profile-run.diff ]
> 
> === modified file 'utils/apparmor/cleanprofile.py'
> --- utils/apparmor/cleanprofile.py      2014-12-16 22:13:25 +0000
> +++ utils/apparmor/cleanprofile.py      2015-04-11 22:35:00 +0000
> @@ -67,6 +67,8 @@
>              #Clean the duplicates of caps in other profile
>              if not self.same_file:
>                  deleted += 
> self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
> +            else:
> +                deleted += 
> self.other.aa[program][hat]['capability'].delete_duplicates(None)
>  
>              #Clean the duplicates of path in other profile
>              deleted += delete_path_duplicates(self.profile.aa[program][hat], 
> self.other.aa[program][hat], 'allow', self.same_file)
> 

This patch does not seem to do what you claim it does:

ubuntu@vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 11:41:53 2015
#include <tunables/global>

/bin/true {
  #include <abstractions/base>

  capability setuid,
  capability setuid,

  audit /bin/true ix,

}

ubuntu@vivid-amd64:~/bzr/apparmor/utils$ quilt diff
Index: utils/apparmor/cleanprofile.py
===================================================================
--- utils/apparmor/cleanprofile.py.orig
+++ utils/apparmor/cleanprofile.py
@@ -67,6 +67,8 @@ class CleanProf(object):
             #Clean the duplicates of caps in other profile
             if not self.same_file:
                 deleted +=
self.other.aa[program][hat]['capability'].delete_duplicates(self.profile.aa[program][hat]['capability'])
+            else:
+                deleted += 
self.other.aa[program][hat]['capability'].delete_duplicates(None)

             #Clean the duplicates of path in other profile
             deleted += delete_path_duplicates(self.profile.aa[program][hat], 
self.other.aa[program][hat], 'allow', self.same_file)

ubuntu@vivid-amd64:~/bzr/apparmor/utils$ PYTHONPATH=$PWD ./aa-cleanprof
-d ~/tmp/aa-test/ /bin/true

Deleted 0 rules.

= Changed Local Profiles =

The local profile for /bin/true in file /home/ubuntu/tmp/aa-test/bin.true was 
changed. Would you like to save it?

(S)ave Changes / [(V)iew Changes] / Abo(r)t
--- /home/ubuntu/tmp/aa-test/bin.true   2015-04-13 11:41:53.738751583 -0700
+++ /tmp/tmpFoJrhN      2015-04-13 11:43:17.098747948 -0700
@@ -1,4 +1,3 @@
-# Last Modified: Mon Apr 13 11:41:53 2015
 #include <tunables/global>

 /bin/true {

= Changed Local Profiles =

The local profile for /bin/true in file /home/ubuntu/tmp/aa-test/bin.true was 
changed. Would you like to save it?

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /bin/true.

ubuntu@vivid-amd64:~/bzr/apparmor/utils$ cat ~/tmp/aa-test/bin.true
# Last Modified: Mon Apr 13 11:43:20 2015
#include <tunables/global>

/bin/true {
  #include <abstractions/base>

  capability setuid,
  capability setuid,

  audit /bin/true ix,

}

-- 
Steve Beattie
<sbeat...@ubuntu.com>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: Digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to