Hello,
aa-logprof raises an exception if
- an include file contains a hat
- that file is included in a profile and
- aa-logprof hits an audit log entry for this profile
Reproducer:
python3 aa-logprof -f <(echo 'Jun 19 11:50:36 piorun kernel: [4474496.458789]
audit: type=1400 audit(1434707436.696:153): apparmor="DENIED" operation="open"
profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=2910 comm="apache2"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0') -d ../profiles/apparmor.d/
This happens because profiles/apparmor.d/apache2.d/phpsysinfo was
already read when pre-loading the include files.
This patch changes aa.py parse_profile_data() to only raise the
exception if it is not handling includes currently.
I'm able to reproduce this issue with trunk and 2.9 and therefore
propose this patch for both. (Interestingly, this code exists since
r0.1.38, and nobody noticed it yet...)
[ 53-fix-logprof-for-hat-in-include.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-06-19 21:44:46.134232664 +0200
+++ utils/apparmor/aa.py 2015-06-21 18:57:50.915891775 +0200
@@ -3008,7 +3008,7 @@
if initial_comment:
profile_data[profile][hat]['initial_comment'] = initial_comment
initial_comment = ''
- if filelist[file]['profiles'][profile].get(hat, False):
+ if filelist[file]['profiles'][profile].get(hat, False) and not
do_include:
raise AppArmorException(_('Error: Multiple definitions for hat
%(hat)s in profile %(profile)s.') % { 'hat': hat, 'profile': profile })
filelist[file]['profiles'][profile][hat] = True
Regards,
Christian Boltz
--
> Der Testbug (#48) ist übrigens ein Duplikat von Bug #29 ;-)
Shit. Machst du 'nen Bugreport? :-)
[> Christian Boltz und Ratti in fontlinge-devel]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
