AppArmor

aa-mergeprof: crash in ask_the_question() when calling profile_known_network()

Bug #1382241 reported by Christian Boltz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Low
Christian Boltz
AppArmor 2.10

Bug Description

aa-mergeprof around line 710, in ask_the_question():

            for allow in ['allow', 'deny']:
                for family in sorted(other.aa[profile][hat][allow]['netdomain']['rule'].keys()):
                    # severity handling for net toggles goes here

                    for sock_type in sorted(other.aa[profile][hat][allow]['netdomain']['rule'][family].keys()):
                        if apparmor.aa.profile_known_network(self.user.aa[profile][hat], family, sock_type):
                            continue

The apparmor.aa.profile_known_network() call crashes aa-mergeprof with:

# python3 ~/apparmor/HEAD-CLEAN/utils/aa-mergeprof -d ../../INSTALL/ usr.sbin.couriertls

 Merging profile for /usr/sbin/couriertls
 Traceback (most recent call last):
   File "/home/cb/apparmor/HEAD-CLEAN/utils/aa-mergeprof", line 809, in <module>
     main()
   File "/home/cb/apparmor/HEAD-CLEAN/utils/aa-mergeprof", line 113, in main
     act([user_file, base_file, None], 2, profile_name)
   File "/home/cb/apparmor/HEAD-CLEAN/utils/aa-mergeprof", line 150, in act
     mergeprofiles.ask_the_questions('base', merging_profile)
   File "/home/cb/apparmor/HEAD-CLEAN/utils/aa-mergeprof", line 727, in ask_the_questions
     if apparmor.aa.profile_known_network(self.user.aa[profile][hat], family, sock_type):
   File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/aa.py", line 4444, in profile_known_network
     if netrules_access_check(include[incname][incname]['deny']['netdomain'], family, sock_type):
 KeyError: 'abstractions/base'

The reason for the crash is that profile_known_network() in aa.py expects the global variable 'include' to be filled, but it's empty at this time.

By disabling the profile_known_network() call, aa-mergeprof asks for network rules that are in the "new" profile, but already covered by an abstraction. This doesn't hurt much because the cleanprof run at the end removes them again ;-)

(Note to myself: this is easily reproducable with the profiles from da2.)

Tags: aa-tools

Related branches

lp://staging/apparmor/2.12
Christian Boltz (cboltz)
summary: aa-mergeprof: crash in ask_the_question() when calling
- profile_known_host()
+ profile_known_network()
Steve Beattie (sbeattie)
Changed in apparmor:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Christian Boltz (cboltz) wrote :

for the records - with the NetworkRule / NetworkRuleset classes, is_known_rule() needs to be called instead of profile_known_network(). I didn't test yet if this also crashes ;-)

Christian Boltz (cboltz)
Changed in apparmor:
assignee: nobody → Christian Boltz (cboltz)
status: Triaged → Fix Committed
milestone: none → 2.10
Revision history for this message
Steve Beattie (sbeattie) wrote :

AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.