mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Check for duplicate profiles

Browse source 
Having two profiles for the same binary is "technically allowed", but it
leads to interesting[tm] behaviour because one of them "wins" depending
on the load order. To make things even more interesting, the kernel load
order can be different from the tools load order, leading to even more
fun.

Short version: you do _not_ want that situation ;-)

This patch adds a duplicate check to attach_profile_data() so that it
errors out if it finds duplicate profiles or hats, and lists the profile
files that contain them.



Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for both trunk and 2.9.
This commit is contained in:
Christian Boltz 2015-08-03 01:17:53 +02:00
parent 426edf3233
commit c9e16d874e
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
utils/apparmor/aa.py
View file

@ -2512,6 +2512,13 @@ def attach_profile_data(profiles, profile_data):
# Make deep copy of data to avoid changes to # Make deep copy of data to avoid changes to
# arising due to mutables # arising due to mutables
for p in profile_data.keys(): for p in profile_data.keys():
if profiles.get(p, False):
for hat in profile_data[p].keys():
if profiles[p].get(hat, False):
raise AppArmorException(_("Conflicting profiles for %s defined in two files:\n- %s\n- %s") %
# 'filename' is not set for hats, therefore print the filename of the main profile
(combine_name(p, hat), profiles[p][p]['filename'], profile_data[p][p]['filename']))
profiles[p] = deepcopy(profile_data[p]) profiles[p] = deepcopy(profile_data[p])