If a filename mentioned in audit.log contains an @, aa-logprof crashes with

... File "/home/cb/apparmor/HEAD-CLEAN/utils/apparmor/severity.py", line 147, in handle_variable_rank variable = regex_variable.search(resource).groups()[0] AttributeError: 'NoneType' object has no attribute 'groups' handle_variable_rank() checked with if '@' in resource: and if it finds it, expects it can match a variable, which means @{.....} If a filename contains a @ this fails. The patch fixes the if condition so that it does a regex match. It also adds two testcases for filenames containing @ to make sure they don't cause a crash and result in the exptected severity rank. Acked-by: Steve Beattie <steve@nxnw.org>
2025-03-04 16:35:02 +01:00 · 2014-10-14 12:50:20 +02:00 · 2014-10-14 12:50:20 +02:00 · 7e84f4efe9
commit 7e84f4efe9
parent 9a960a22a9
2 changed files with 5 additions and 3 deletions
--- a/utils/apparmor/severity.py
+++ b/utils/apparmor/severity.py
@ -143,9 +143,9 @@ class Severity(object):
        """Returns the max possible rank for file resources containing variables"""
        regex_variable = re.compile('@{([^{.]*)}')
        rank = None
-        if '@' in resource:
-            variable = regex_variable.search(resource).groups()[0]
-            variable = '@{%s}' % variable
+        matches = regex_variable.search(resource)
+        if matches:
+            variable = '@{%s}' % matches.groups()[0]
            #variables = regex_variable.findall(resource)
            for replacement in self.severity['VARIABLES'][variable]:
                resource_replaced = self.variable_replace(variable, replacement, resource)
--- a/utils/test/severity_test.py
+++ b/utils/test/severity_test.py
@ -52,6 +52,8 @@ class Test(unittest.TestCase):
        self.assertEqual(rank, 9, 'Wrong rank')
        self.assertEqual(sev_db.rank('/etc/apparmor/**', 'r') , 6,  'Invalid Rank')
        self.assertEqual(sev_db.rank('/etc/**', 'r') , 10,  'Invalid Rank')
+        self.assertEqual(sev_db.rank('/usr/foo@bar', 'r') , 10,  'Invalid Rank')  ## filename containing @
+        self.assertEqual(sev_db.rank('/home/foo@bar', 'rw') , 6,  'Invalid Rank')  ## filename containing @

        # Load all variables for /sbin/klogd and test them
        sev_db.load_variables('profiles/sbin.klogd')