On 06/06/2015 05:17 PM, Christian Boltz wrote:
> Hello,
>
> are hat declarations like
>
> /foo {
> ^hat,
> }
>
> still allowed/valid? The tools accept them, but the 2.9.2 parser errors
> out with unexpected TOK_END_OF_RULE, expecting TOK_OPEN
>
Interesting question. How about maybe?
In actual fact there is no need for a hat rule anymore, the flag is carried
on the profile and not in the profile rules.
The hat rules where added in 2.3 for external hats, but there were several
issues around them, and they got largely ripped out in favor of just using
a flag on the profile.
The ability to parse the rule was kept around so that the update wouldn't
out right break peoples policy. At some point our refactoring has done
away with this vestigial rule. And no one has complained, so I would
say no, not anymore.
>
> I'm asking because I found an interesting bug:
>
> If you have this profile
>
> /foo {
> ^hat,
> ^hat {
> network,
> }
> }
>
> and save it (for example via aa-cleanprof, "view changes" is enough), the
> ^hat,
> line is dropped. No problem so far.
>
> Unfortunately if you have
>
> /foo {
> ^hat {
> network,
> }
> ^hat,
> }
>
> you will end up with
>
> /foo {
> ^hat,
> }
>
> (last one wins!)
> and that is clearly something you don't want.
>
indeed
>
> This is caused by the 'declared' flag and how write_piece() in aa.py handles
> it:
>
> if profile_data[hat].get('declared', False):
> data.append('%s^%s,' % (pre2, hat))
> ...
> if not profile_data[hat]['external'] and not
> profile_data[hat]['declared']:
> # write hat with content
>
> So before I start fixing that bug, I'd like to know if
> ^hat,
> is still allowed - if not, removing the code for it would be the easiest
> solution.
>
>
>
> Oh, and I found all this while hunting down another bug ;-)
>
> To make things more interesting, that other bug crashes aa-cleanprof
> 80% of the time, but it works well 20% of the time with exactly the same
> profile directory.
>
> The test profile is attached to this mail. Store it in an empty directory,
> add symlinks to abstractions and tunables and run (using latest bzr
> trunk of course)
> python3 aa-cleanprof -d /your/test/directory/ /usr/sbin/sshd
>
> Questions are:
> - can you reproduce the crash? (should be easy)
> - does it work sometimes? (as in "you can view the changes")
> - most interesting (and difficult) question: WHY doesn't it crash 20%
> of the time? (Try to find this out only if you have some free time ;-)
>
> On the positive side, I'm just testing a (quite intrusive, sorry) patch
> that fixes it in 100% of the time :-)
>
no idea but I will play and report back
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
