Merge ask_exec: ignore events for missing profiles

... and not only for events in missing hats. This fixes a crash if the log contains exec events for a hat where not even the parent profile exists. I propose this patch for master, 4.0 and 3.1. (In 3.0, `aa` is still a `hasher` which avoids the crash, therefore it doesn't really need this patch.) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1265 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>
2025-03-04 08:24:42 +01:00 · 2024-07-11 12:03:23 +00:00 · 2024-07-11 12:03:23 +00:00 · 3ea19d5f32
commit 3ea19d5f32
parent c8d309778f 7928c41685
1 changed files with 4 additions and 1 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -774,9 +774,12 @@ def ask_exec(hashlog):
                        raise AppArmorBug(
                            'exec permissions requested for directory %s (profile %s). This should not happen - please open a bugreport!' % (exec_target, full_profile))

-                    if not aa[profile].get(hat):
+                    if not aa.get(profile):
                        continue  # ignore log entries for non-existing profiles

+                    if not aa[profile].get(hat):
+                        continue  # ignore log entries for non-existing hats
+
                    exec_event = FileRule(exec_target, None, FileRule.ANY_EXEC, FileRule.ALL, owner=False, log_event=True)
                    if is_known_rule(aa[profile][hat], 'file', exec_event):
                        continue