AppArmor

aa-cleanprof returns wrong count for deleted rules

Bug #1462794 reported by Kshitij Gupta on 2015-06-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

aa-cleanprof deletes duplicate rules and imports but the same is not reflected in the output (in both trunk and 2.9).

The tool shows:

Deleted 0 rules.

Whereas upon selecting the [(V)iew Changes] option we can see:

/usr/sbin/ntpd {
-
- #include <abstractions/xad>
#include <abstractions/xad>

-
- /etc/ntpd.conf.tmp r,
-
/etc/ntpd.conf.tmp r,
+
}

i.e. 1 import and 1 rule was removed by aa-cleanprof

Minimal test profile:

/usr/sbin/ntpd {

#include <abstractions/xad>
#include <abstractions/xad>

/etc/ntpd.conf.tmp r,

/etc/ntpd.conf.tmp r,
}

Tags:

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-06-07:

That's caused by the fact that the rules are exact duplicates, and how we store them in the aa hasher

For example the two #include lines map to
aa['/usr/sbin/ntpd']['/usr/sbin/ntpd']['include']['abstractions/xad'] = True
aa['/usr/sbin/ntpd']['/usr/sbin/ntpd']['include']['abstractions/xad'] = True
so the de-duplication accidently ;-) already happens in parse_profile_data and isn't even recognized as de-duplication.

The same happens for the two identical file rules, except that parsing and storing them is a bit more interesting[tm].

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-08-14:

This should be fixed for file rules with the FileRule patches I sent to the mailinglist two days ago.

#include lines will still automagically de-duplicate in parse_profile_data().

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.